CVE-2003-0226
Description
Microsoft Internet Information Services (IIS) 5.0 and 5.1 allows remote attackers to cause a denial of service via a long WebDAV request with a (1) PROPFIND or (2) SEARCH method, which generates an error condition that is not properly handled.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
2cpe:2.3:a:microsoft:internet_information_services:5.0:*:*:*:*:*:*:*+ 1 more
- cpe:2.3:a:microsoft:internet_information_services:5.0:*:*:*:*:*:*:*
- (no CPE)range: 5.0, 5.1
Patches
Vulnerability mechanics
Root cause
"Microsoft Internet Information Services (IIS) 5.0 and 5.1 does not properly handle excessively long WebDAV PROPFIND or SEARCH requests, leading to a denial of service."
Attack vector
A remote attacker can send a crafted, excessively long WebDAV request using either the PROPFIND or SEARCH method to a vulnerable IIS server. This malformed request triggers an error condition that the server fails to handle gracefully. The vulnerability is triggered by sending a long request body to the SEARCH method, as demonstrated by the provided exploit code [ref_id=1].
Affected code
The vulnerability lies within the WebDAV functionality of Microsoft Internet Information Services (IIS) versions 5.0 and 5.1. Specifically, the handling of long requests to the PROPFIND and SEARCH methods is implicated. The provided exploit code targets the SEARCH method by sending a large `Content-Length` header and a lengthy XML payload [ref_id=1].
What the fix does
The advisory does not specify a patch or provide details on how the vulnerability is fixed. However, it is reported that IIS will automatically restart after the denial of service, and normal service will resume. In some cases, the Inetinfo service may stop serving requests until manually restarted [ref_id=1].
Preconditions
- configThe target system must be running Microsoft Internet Information Services (IIS) 5.0 or 5.1.
- configThe WebDAV service must be enabled on the target IIS server.
- networkThe attacker must have network access to the target IIS server's HTTP port (typically port 80).
Reproduction
```bash ./Screw_IIS <victim IP> ``` This command will send a crafted SEARCH request to the specified IP address, attempting to cause a denial of service on the IIS server [ref_id=1].
Generated on Jun 5, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6- archives.neohapsis.com/archives/bugtraq/2003-05/0308.htmlnvdPatchVendor Advisory
- www.spidynamics.com/iis_alert.htmlnvdPatchVendor Advisory
- marc.infonvd
- marc.infonvd
- docs.microsoft.com/en-us/security-updates/securitybulletins/2003/ms03-018nvd
- oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A933nvd
News mentions
0No linked articles in our index yet.