CVE-2001-0544

Vulnerability

In IIS 5.0, a local user can cause a denial of service by installing content that produces a specific invalid MIME Content-Type header. This corrupts the IIS File Type table, causing the web server to hang. The vulnerability exists in IIS 5.0 and is triggered by local installation of such content. [1]

Exploitation

An attacker must have local access to the IIS 5.0 server to install content that generates the invalid MIME Content-Type header. No user interaction or network access is required; the attacker can directly cause the denial of service by placing the malicious content on the server. The exact steps involve installing content with the malformed header, which then corrupts the File Type table, leading to a server hang. [1]

Impact

Successful exploitation results in a denial of service condition where the IIS 5.0 server hangs, disrupting web services. The impact is limited to availability; no information disclosure or privilege escalation is achieved. The server may need to be restarted to recover. [1]

Mitigation

Microsoft released a cumulative patch for IIS 5.0 in Security Bulletin MS01-044 (August 2001) that addresses this vulnerability. System administrators should apply the patch to prevent exploitation. No workaround is documented aside from applying the update. [1]