CVE-1999-1233

Vulnerability

The "Domain Resolution" vulnerability (CVE-1999-1233) affects Microsoft Internet Information Server (IIS) 4.0. When IIS is configured to restrict access based on the user's domain, it fails to properly handle requests from IP addresses that do not resolve to a DNS domain. In such cases, IIS incorrectly grants the initial session request, allowing the user to bypass the intended access restrictions. This vulnerability does not affect other Microsoft products, including MCIS 2.5 [1].

Exploitation

An attacker can exploit this vulnerability by sending a request from an IP address that does not resolve to any DNS domain. No authentication or special privileges are required. The attacker simply initiates a session, and IIS grants the first request, after which subsequent requests are correctly denied. The attacker can then access restricted web content during that initial session [1].

Impact

Successful exploitation allows an attacker to gain unauthorized access to web content that is protected by domain-based restrictions. The impact is limited to information disclosure or unauthorized access; the vulnerability does not provide a means to take control of the server [1].

Mitigation

Microsoft released a patch for IIS 4.0 as part of Security Bulletin MS99-039 on September 23, 1999. The patch eliminates the domain resolution vulnerability. Users should apply the patch to affected systems. No workaround is documented, and the product is long past its support lifecycle [1].