SI-CERT 2002-02 / Microsoft IIS kumulativni popravki

Popravki za več varnostnih lukenj v Microsoft Internet Information Server (IIS) produktu.

Prizadete verzije:

• Microsoft Internet Information Server 4.0
• Microsoft Internet Information Server 5.0
• Microsoft Internet Information Server 5.1
• Microsoft Internet Information Server 6.0 Beta build 3605 in predhodni

Opis 

Microsoft je izdal kumulativne popravke za IIS 4.0, 5.0 in 5.1 strežnike, ki poleg starih pomanjkljivosti in lukenj odpravljajo tudi deset novoodkritih:

• Heap Buffer overflow in ASP chunked encoding routines
• Buffer overflow within the ASP data transfer mechanism
• Buffer overflow in IIS HTTP header delimiter parsing
• Buffer overflow in IIS ASP Server-Side Include routines
• Buffer overflow in the HTR ISAPI extension
• Denial of service caused by improper handling of error conditions in ISAPI filters
• Denial of service in the IIS 4.0, 5.0 and 5.1 FTP (File Transfer Protocol) service
• Cross-Site Scripting (CSS) vulnerabilities present in IIS 4.0, 5.0 and 5.1 

Nekatere od naštetih lukenj omogočajo vdor v sistem s pridobitvijo administrativnih pravic na njem. Potencialno nevarnost predstavljajo morebitni avtomatizirani napadi in internetni črvi (glej SI-CERT obvestili 2001-08.html in 2001-07).

Rešitev

Priporočamo, da takoj namestite popravke za ustrezne verzije Microsoft IIS strežnika:

•  Microsoft IIS 4.0: http://www.microsoft.com/Download/Release.asp?ReleaseID=37931

• Microsoft IIS 5.0: http://www.microsoft.com/Downloads/Release.asp?ReleaseID=37824
• Microsoft IIS 5.1: http://www.microsoft.com/Downloads/Release.asp?ReleaseID=37857 

Povezave

• Microsoft Security Bulletin MS02-018