Vulnerability Development mailing list archives
Basic authentication with IIS 5, IE 6.0 on Windows 2000 serv
From: Randhir Vayalambrone <vayalambrones () yahoo com>
Date: Fri, 7 May 2004 13:13:29 -0700 (PDT)
Anyone ever noticed this error message "The data area passed to a system call is too small." with Microsoft IIS when using Basic authentication? Here's some details on how to reproduce this, Operating system: Windows 2000 server, service pack4 (Running all the latest patches) Software: Microsoft IIS 5 (Running all the latest patches), Internet Explorer 6.0 service pack1 Steps to reproduce the problem, 1) Create a virtual directory in IIS, create a default.html page under the virtual directory, enable default document for the directory and set the default page to default.html Set the authentication mechanism to "Basic authentication" (uncheck all other forms of authentication) 2) Try to access the above site using internet explorer, an authentication dialog will pop up. In the username and password text fields, copy and paste some huge amount of data, the site reports an error "The data area passed to a system call is too small." My question, is the above thing a known issue and is it exploitable (could it result in a stack or heap buffer overflow?) I tested this on a secure test web site. Any thoughts on this? Thanks, Randhir V. ===== "If you can imagine it, you can achieve it; if you can dream it, you can become it." (William Arthur Ward)
Current thread:
- Basic authentication with IIS 5, IE 6.0 on Windows 2000 serv Randhir Vayalambrone (May 07)