Computer Security
[EN] securityvulns.ru no-pyccku


Related information

  DoS против Microsoft ISA (invalid proxy request)

  [SX-20010320-2b] - Followup re. Microsoft ISA Server Denial of Service

  [SX-20010320-2] - Microsoft ISA Server Denial of Service

From:MICROSOFT <secure_(at)_microsoft.com>
Date:16.04.2001
Subject:Security Bulletin MS01-021

- ----------------------------------------------------------------------
Title:      Invalid Web Request Can Cause Access Violation in ISA
           Server Web Proxy Service
Date:       16 April 2001
Software:   ISA Server 2000
Impact:     Denial of service
Bulletin:   MS01-021

Microsoft encourages customers to review the Security Bulletin
at: http://www.microsoft.com/technet/security/bulletin/MS01-021.asp.
- ----------------------------------------------------------------------

Issue:
======
The ISA Server Web Proxy service does not correctly handle web
requests that contain a particular type of malformed argument.
Processing such a request would result in an access violation,
which would cause the Web Proxy service to fail. This would disrupt
all ingoing and outgoing web proxy requests until the service was
restarted.

Mitigating Factors:
====================
- The vulnerability could be exploited from the Internet only
  if the Web Publishing feature were enabled. By default,
  this feature is disabled.
- The vulnerability would not enable an attacker to breach the
  security of the firewall - that is, it would not enable the
  attacker to access protected resources or bypass the firewall.
  It would only enable the attacker to deny legitimate service
  to other users.
- The vulnerability would only allow the Web Proxy service to
  be disrupted. Other ISA services would continue functioning
  normally.

Patch Availability:
===================
- A patch is available to fix this vulnerability. Please read
  Security Bulletin
  http://www.microsoft.com/technet/security/bulletin/ms01-021.asp
  for information on obtaining this patch.

Acknowledgment:
===============
- Dr. Richard Reiner, Graham Wiseman, Matthew Siemens, and
  Kent Nicolson of FSC Internet Corp. / SecureXpert Labs
 (http://www.fscinternet.com / http://www.securexpert.com)

- ---------------------------------------------------------------------

THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED
"AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL
WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF
MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT
SHALL
MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES
WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL,
LOSS
OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION
OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH
DAMAGES.
SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR
CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY
NOT
APPLY.

About | Terms of use | Privacy Policy
© SecurityVulns, 3APA3A, Vladimir Dubrovin
Nizhny Novgorod