Sign-up

ID

VAR-200204-0008


CVE

CVE-2002-0072


TITLE

Microsoft Internet Information Server (IIS) vulnerable to DoS when URL request exceeds maximum allowed length

Trust: 0.8

sources: CERT/CC: VU#521059

DESCRIPTION

The w3svc.dll ISAPI filter in Front Page Server Extensions and ASP.NET for Internet Information Server (IIS) 4.0, 5.0, and 5.1 does not properly handle the error condition when a long URL is provided, which allows remote attackers to cause a denial of service (crash) when the URL parser accesses a null pointer. Intruders may be able to cause the IIS service to fail by sending a particular kind of overly-long URL. A vulnerability has been identified in the way Microsoft Internet Information Server handles URL errors. The ISAPI filter involved in this vulnerability is installed by Front Page Server Extensions and ASP.NET. On IIS 4.0 servers, the service must be manually restarted. On IIS 5.0 and 5.1 servers, the service will restart itself automatically. Custom ISAPI filters may also be affected by this condition. A number of Cisco products are affected by this vulnerability, although this issue is not present in the Cisco products themselves

Trust: 2.61

sources: NVD: CVE-2002-0072 // CERT/CC: VU#521059 // JVNDB: JVNDB-2002-000078 // BID: 4479

AFFECTED PRODUCTS

vendor:microsoftmodel:internet information serverscope:eqversion:4.0

Trust: 1.6

vendor:microsoftmodel:internet information servicesscope:eqversion:5.0

Trust: 1.6

vendor:microsoftmodel:iisscope:eqversion:5.1

Trust: 1.1

vendor:microsoftmodel:iisscope:eqversion:5.0

Trust: 1.1

vendor:microsoftmodel:iisscope:eqversion:4.0

Trust: 1.1

vendor:microsoftmodel: - scope: - version: -

Trust: 0.8

vendor:microsoftmodel:internet information serverscope:eqversion:5.0

Trust: 0.6

vendor:microsoftmodel:internet information serverscope:eqversion:5.1

Trust: 0.6

vendor:ciscomodel:unity serverscope:eqversion:2.4

Trust: 0.3

vendor:ciscomodel:unity serverscope:eqversion:2.3

Trust: 0.3

vendor:ciscomodel:unity serverscope:eqversion:2.2

Trust: 0.3

vendor:ciscomodel:unity serverscope:eqversion:2.1

Trust: 0.3

vendor:ciscomodel:unity serverscope:eqversion:2.0

Trust: 0.3

vendor:ciscomodel:call managerscope:eqversion:3.2

Trust: 0.3

vendor:ciscomodel:call managerscope:eqversion:3.1

Trust: 0.3

vendor:ciscomodel:call managerscope:eqversion:3.0

Trust: 0.3

vendor:ciscomodel:building broadband service managerscope:eqversion:5.1

Trust: 0.3

vendor:ciscomodel:building broadband service managerscope:eqversion:5.0

Trust: 0.3

vendor:ciscomodel:building broadband service managerscope:eqversion:4.5

Trust: 0.3

vendor:ciscomodel:building broadband service managerscope:eqversion:4.4

Trust: 0.3

vendor:ciscomodel:building broadband service managerscope:eqversion:4.3

Trust: 0.3

vendor:ciscomodel:building broadband service managerscope:eqversion:4.2

Trust: 0.3

vendor:ciscomodel:building broadband service managerscope:eqversion:4.0.1

Trust: 0.3

sources: CERT/CC: VU#521059 // BID: 4479 // JVNDB: JVNDB-2002-000078 // CNNVD: CNNVD-200204-031 // NVD: CVE-2002-0072

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2002-0072
value: MEDIUM

Trust: 1.0

CARNEGIE MELLON: VU#521059
value: 33.30

Trust: 0.8

NVD: CVE-2002-0072
value: MEDIUM

Trust: 0.8

CNNVD: CNNVD-200204-031
value: MEDIUM

Trust: 0.6

nvd@nist.gov: CVE-2002-0072
severity: MEDIUM
baseScore: 5.0
vectorString: AV:N/AC:L/AU:N/C:N/I:N/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: NONE
integrityImpact: NONE
availabilityImpact: PARTIAL
exploitabilityScore: 10.0
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

sources: CERT/CC: VU#521059 // JVNDB: JVNDB-2002-000078 // CNNVD: CNNVD-200204-031 // NVD: CVE-2002-0072

PROBLEMTYPE DATA

problemtype:NVD-CWE-Other

Trust: 1.0

sources: NVD: CVE-2002-0072

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-200204-031

TYPE

other

Trust: 0.6

sources: CNNVD: CNNVD-200204-031

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2002-000078

PATCH
title:MS02-018url:http://www.microsoft.com/technet/security/bulletin/MS02-018.mspx
Trust: 0.8
title:MS02-018url:http://www.microsoft.com/japan/technet/security/bulletin/MS02-018.mspx
Trust: 0.8
title:Microsoft Internet Information Services ISAPI Enter the fix for the verification error vulnerabilityurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=134900
Trust: 0.6
sources:
            
            
            JVNDB: JVNDB-2002-000078 // 
            
            
            
            CNNVD: CNNVD-200204-031

EXTERNAL IDS
db:CERT/CCid:VU#521059
Trust: 3.5
db:BIDid:4479
Trust: 2.7
db:NVDid:CVE-2002-0072
Trust: 2.4
db:OSVDBid:3326
Trust: 1.6
db:JVNDBid:JVNDB-2002-000078
Trust: 0.8
db:CNNVDid:CNNVD-200204-031
Trust: 0.6
sources:
            
            
            CERT/CC: VU#521059 // 
            
            
            
            BID: 4479 // 
            
            
            
            JVNDB: JVNDB-2002-000078 // 
            
            
            
            CNNVD: CNNVD-200204-031 // 
            
            
            
            NVD: CVE-2002-0072

REFERENCES
url:http://www.kb.cert.org/vuls/id/521059
Trust: 3.7
url:http://www.cert.org/advisories/ca-2002-09.html
Trust: 3.4
url:http://www.securityfocus.com/bid/4479
Trust: 3.4
url:http://marc.info/?l=bugtraq&m=101853851025208&w=2
Trust: 2.6
url:http://www.cisco.com/warp/public/707/microsoft-iis-vulnerabilities-ms02-018.shtml
Trust: 2.6
url:http://www.iss.net/security_center/static/8800.php
Trust: 2.6
url:https://docs.microsoft.com/en-us/security-updates/securitybulletins/2002/ms02-018
Trust: 2.6
url:http://www.osvdb.org/3326
Trust: 2.6
url:about vulnerability notes
Trust: 0.8
url:contact us about this vulnerability
Trust: 0.8
url:provide a vendor statement
Trust: 0.8
url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2002-0072
Trust: 0.8
url:http://www.jpcert.or.jp/wr/2002/wr021401.txt
Trust: 0.8
url:http://jvn.jp/cert/jvnca-2002-09
Trust: 0.8
url:http://nvd.nist.gov/nvd.cfm?cvename=cve-2002-0072
Trust: 0.8
url:http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/ms02-018.asp
Trust: 0.3
url:http://support.microsoft.com/default.aspx?scid=kb;en-us;q317636
Trust: 0.3
url:http://www.microsoft.com/technet/security/advisory/default.mspx
Trust: 0.3
sources:
            
            
            CERT/CC: VU#521059 // 
            
            
            
            BID: 4479 // 
            
            
            
            JVNDB: JVNDB-2002-000078 // 
            
            
            
            CNNVD: CNNVD-200204-031 // 
            
            
            
            NVD: CVE-2002-0072

CREDITS
Discovery of this vulnerability is credited to Dave Aitel of @Stake.
Trust: 0.3
sources:
            
            
            BID: 4479

SOURCES
db:CERT/CCid:VU#521059
db:BIDid:4479
db:JVNDBid:JVNDB-2002-000078
db:CNNVDid:CNNVD-200204-031
db:NVDid:CVE-2002-0072

LAST UPDATE DATE
2024-11-22T22:57:16.468000+00:00

SOURCES UPDATE DATE
db:CERT/CCid:VU#521059date:2002-04-10T00:00:00
db:BIDid:4479date:2002-04-10T00:00:00
db:JVNDBid:JVNDB-2002-000078date:2007-04-01T00:00:00
db:CNNVDid:CNNVD-200204-031date:2020-11-25T00:00:00
db:NVDid:CVE-2002-0072date:2024-11-20T23:38:14.387

SOURCES RELEASE DATE
db:CERT/CCid:VU#521059date:2002-04-10T00:00:00
db:BIDid:4479date:2002-04-10T00:00:00
db:JVNDBid:JVNDB-2002-000078date:2007-04-01T00:00:00
db:CNNVDid:CNNVD-200204-031date:2002-04-22T00:00:00
db:NVDid:CVE-2002-0072date:2002-04-22T04:00:00