VYPR

Internet Information Server

by Microsoft

CVEs (154)

  • CVE-1999-0867Aug 11, 1999
    risk 0.05cvss epss 0.22

    Denial of service in IIS 4.0 via a flood of HTTP requests with malformed headers.

  • CVE-1999-1375Feb 11, 1999
    risk 0.05cvss epss 0.31

    FileSystemObject (FSO) in the showfile.asp Active Server Page (ASP) allows remote attackers to read arbitrary files by specifying the name in the file parameter.

  • CVE-1999-1538Jan 14, 1999
    risk 0.05cvss epss 0.25

    When IIS 2 or 3 is upgraded to IIS 4, ism.dll is inadvertently left in /scripts/iisadmin, which does not restrict access to the local machine and allows an unauthorized user to gain access to sensitive server information, including the Administrator's password.

  • CVE-1999-0448Jan 1, 1999
    risk 0.05cvss epss 0.24

    IIS 4.0 and Apache log HTTP request methods, regardless of how long they are, allowing a remote attacker to hide the URL they really request.

  • CVE-2008-1446Oct 15, 2008
    risk 0.04cvss epss 0.46

    Integer overflow in the Internet Printing Protocol (IPP) ISAPI extension in Microsoft Internet Information Services (IIS) 5.0 through 7.0 on Windows 2000 SP4, XP SP2 and SP3, Server 2003 SP1 and SP2, and Server 2008 allows remote authenticated users to execute arbitrary code via…

  • CVE-2002-0150Apr 22, 2002
    risk 0.04cvss epss 0.49

    Buffer overflow in Internet Information Server (IIS) 4.0, 5.0, and 5.1 allows remote attackers to spoof the safety check for HTTP headers and cause a denial of service or execute arbitrary code via HTTP header field values.

  • CVE-2001-0507Sep 20, 2001
    risk 0.04cvss epss 0.09

    IIS 5.0 uses relative paths to find system files that will run in-process, which allows local users to gain privileges via a Trojan horse file, aka the "System file listing privilege elevation" vulnerability.

  • CVE-2001-0336Jun 27, 2001
    risk 0.04cvss epss 0.16

    The Microsoft MS00-060 patch for IIS 5.0 and earlier introduces an error which allows attackers to cause a denial of service via a malformed request.

  • CVE-2000-1147Jan 9, 2001
    risk 0.04cvss epss 0.08

    Buffer overflow in IIS ISAPI .ASP parsing mechanism allows attackers to execute arbitrary commands via a long string to the "LANGUAGE" argument in a script tag.

  • CVE-2000-0970Dec 19, 2000
    risk 0.04cvss epss 0.46

    IIS 4.0 and 5.0 .ASP pages send the same Session ID cookie for secure and insecure web sessions, which could allow remote attackers to hijack the secure web session of the user if that user moves to an insecure session, aka the "Session ID Cookie Marking" vulnerability.

  • CVE-2000-0114Feb 2, 2000
    risk 0.04cvss epss 0.48

    Frontpage Server Extensions allows remote attackers to determine the name of the anonymous account via an RPC POST request to shtml.dll in the /_vti_bin/ virtual directory.

  • CVE-1999-0412Feb 19, 1999
    risk 0.04cvss epss 0.10

    In IIS and other web servers, an attacker can attack commands as SYSTEM if the server is running as SYSTEM and loading an ISAPI extension.

  • CVE-1999-0449Jan 26, 1999
    risk 0.04cvss epss 0.50

    The ExAir sample site in IIS 4 allows remote attackers to cause a denial of service (CPU consumption) via a direct request to the (1) advsearch.asp, (2) query.asp, or (3) search.asp scripts.

  • CVE-1999-0450Jan 26, 1999
    risk 0.04cvss epss 0.19

    In IIS, an attacker could determine a real path using a request for a non-existent URL that would be interpreted by Perl (perl.exe).

  • CVE-1999-0281Jun 1, 1997
    risk 0.04cvss epss 0.13

    Denial of service in IIS using long URLs.

  • CVE-1999-0233Feb 25, 1996
    risk 0.04cvss epss 0.16

    IIS 1.0 allows users to execute arbitrary commands using .bat or .cmd files.

  • CVE-2010-2730Sep 15, 2010
    risk 0.03cvss epss 0.33

    Buffer overflow in Microsoft Internet Information Services (IIS) 7.5, when FastCGI is enabled, allows remote attackers to execute arbitrary code via crafted headers in a request, aka "Request Header Buffer Overflow Vulnerability."

  • CVE-2005-2678Aug 23, 2005
    risk 0.03cvss epss 0.42

    Microsoft IIS 5.1 and 6 allows remote attackers to spoof the SERVER_NAME variable to bypass security checks and conduct various attacks via a GET request with an http://localhost URI, which makes it appear as if the request is coming from localhost.

  • CVE-2003-0225Jun 9, 2003
    risk 0.03cvss epss 0.38

    The ASP function Response.AddHeader in Microsoft Internet Information Server (IIS) 4.0 and 5.0 does not limit memory requests when constructing headers, which allow remote attackers to generate a large header to cause a denial of service (memory consumption) with an ASP page.

  • CVE-2002-1182Nov 12, 2002
    risk 0.03cvss epss 0.36

    IIS 5.0 and 5.1 allows remote attackers to cause a denial of service (crash) via malformed WebDAV requests that cause a large amount of memory to be assigned.

Page 4 of 8