Vulnerability Development mailing list archives
Re: Patch for the "Microsoft IIS False Content-Length Field DoS Vulnerability" (bid 3667)
From: Ivan Hernandez <ivan.hernandez () globalsis com ar>
Date: Wed, 06 Mar 2002 15:41:11 -0300
Your understood is correct. Your patch would solve the problem correctly ! Ivan Hernandez Bob at firstcodings wrote:
Hi members, I think no patch has been released at this day.... so, I wrote one myself using ISAPI filters. As I understood RFCs, a hit generated by a "GET" method, does not need the "Content-Length:" header. If this is true, I think my filter is correct. The page is http://bob.firstcodings.com/programs/dropcontentlengthget/ (source code is included). For now, please consider this filter as "beta release". I installed this filter on a production server which has an average load : after 2 days and at this point, all is fine. Above all, exploit described in bid 3667 does not work anymore. Thanks to email me at "dropContentLengthGet () firstcodings net" for any comments/feedbacks/suggestions about this filter. Bob - firstcodings. P.S : my english may not be correct, sorry :)
Current thread:
- Patch for the "Microsoft IIS False Content-Length Field DoS Vulnerability" (bid 3667) Bob at firstcodings (Mar 04)
- Re: Patch for the "Microsoft IIS False Content-Length Field DoS Vulnerability" (bid 3667) Ivan Hernandez (Mar 06)