Summary
There is a flaw in the way nsiislog.dll processes incoming client requests. A vulnerability exists because an attacker could send specially formed HTTP request (communications) to the server that could cause IIS to fail or execute code on the user's system.
Solution
Microsoft has released a patch to correct these issues Download locations for this patch
Microsoft Windows 2000:
http://www.microsoft.com/downloads/details.aspx?FamilyId=F772E131-BBC9-4B34-9E78-F71D9742FED8&displaylang=en
Note: This patch can be installed on systems running Microsoft Windows 2000 Service Pack 2, Windows 2000 Service Pack 3 and Microsoft Windows 2000 Service Pack 4. This patch has been superseded by the one provided in Microsoft Security Bulletin MS03-019. http://www.microsoft.com/technet/security/bulletin/MS03-019.mspx
Severity
Classification
-
CVE CVE-2003-0349 -
CVSS Base Score: 7.5
AV:N/AC:L/Au:N/C:P/I:P/A:P
Related Vulnerabilities
- Microsoft .NET Framework Multiple Vulnerabilities (2916607)
- Message Queuing Remote Code Execution Vulnerability (951071)
- Cumulative Security Update for Internet Explorer (933566)
- Cumulative Security Update for Internet Explorer (972260)
- Microsoft IIS FTP Service Remote Code Execution Vulnerabilities (975254)