Re: MS IIS 5.0 Access Violation on handling URL String

[zthompson () ATT COM (Thompson, Zach, CPG)]

Wouldn't the use of Microsoft Transaction Server allow the transaction to be
recovered as soon as the IIS service is restarted? If you had a web
application that you ran in a separate memory space from IIS, then if you
crashed IIS, the transaction could possibly still be processed outside of
the IIS service.

If you are using Transaction Server, the application/process that is
handling the request would be managed by a Transaction Processing
Monitor(TPC) which is there for providing fault tolerance in situations like
the one described below. As soon as the IIS service was restarted, it would
be conceivable that the TPC could then hand the completed transaction back
to the client.

-Z

-----Original Message-----
From: Lark Lizerman [mailto:webmaster () DOC2000 DE]
Sent: Saturday, January 15, 2000 10:14 PM
To: BUGTRAQ () SECURITYFOCUS COM
Subject: Re: MS IIS 5.0 Access Violation on handling URL String

Danger:
The fact at this point is that it is possible to crash  IIS 5.0 and the
process must be restarted what means data loss at all clients connected.
On a CreditCard transaction / Stock Systems it would mean dramatic financial
loss.
The main danger is not, that a website with few hundred visitors will become
unavailable for some seconds, but if it is a SSL System
which handles transactions get's interrupted while datatransfer. Imagine you
sell shares for 200.000$ and your order get's interrupted you may loose a
_lot_ of money. Most transactionsystems are Unix but in the past more and
more NT Systems have been used for this kind
of business.

greets
Lark Lizerman