The latest ASP, IIS security vulnerabilities

Author: scholar
When ASP with its flexible, simple, practical, powerful features quickly swept the global web site, some of its own flaws, vulnerabilities are also threatening all web developers, following the introduction of some of the IIS system vulnerabilities and ASP security issues, this period will be for the latest ASP, IIS security vulnerabilities for detailed discussion, please all the ASP Web site developers pay close attention to improve vigilance.
Earlier this month, Microsoft was again blamed for not paying attention to security issues with its Web server software. In Microsoft's popular product IIS
SEVER4.0 was found to have a flaw known as the "illegal HTR request". According to Microsoft, this flaw can cause arbitrary code to run on the server side under certain circumstances. But the CEO of Eeye, an Internet security firm that found this vulnerability,
Firas Bushnaq's words: This is only the tip of the iceberg. Bushnaq said that Microsoft has concealed the situation, such as hackers can use this vulnerability to the IIS server to complete control, and the exact number of E-commerce sites are based on this system.
The following is a list of the details of this IIS system vulnerability:
The latest security vulnerabilities for IIS
Affected Systems:
Internet Information Server 4.0 (IIS4)
Microsoft Windows NT 4.0 SP3 Option Pack 4
Microsoft Windows NT 4.0 SP4 Option Pack 4
Microsoft Windows NT 4.0 SP5 Option Pack 4
Release Date: 6.8.1999
Microsoft has confirmed the vulnerability, but no patches are available at this time.
Microsoft Security Bulletin (ms99-019):
Topic: "Abnormal HTR Request" vulnerability
Release time: 6.15.1999
Summary:
Microsoft has confirmed the Internet Information Server for its published Web server products
A serious system vulnerability exists in 4.0 that causes a "service denial of attack" for the IIS server, in which case any 2-in-process code may be running on the server. A patch for this vulnerability will be released in the near future, with all IIS users watching closely.
Vulnerability Description:
IIS supports a variety of file types that require server-side processing, such as ASP, ASA, IDC, HTR, and when a Web user requests such a file from a client, the corresponding DLL file is processed automatically. However, a serious security breach was found in ISM.DLL, the file responsible for handling HTR files. (Note: The HTR file itself is used to remotely manage user passwords)
This vulnerability contains an unauthenticated buffer in ISM.DLL, which can pose two threats to the security operation of the Web server. First, it comes from the threat of a denial-of-service attack, from an abnormal pair. HTR file requests cause a cache overflow that directly causes IIS to crash, and when this happens, the server does not need to be restarted, but IIS