Microsoft Security Bulletin MS00-086
Patch Available for 'Web Server File Request Parsing' Vulnerability
Originally posted: November 06, 2000
Updated: November 30, 2000
On November 06, 2000, Microsoft released the original version of this bulletin, announcing the availability of a patch that eliminates a security vulnerability in Microsoft® Internet Information Services 5.0. The vulnerability could enable a malicious user to run operating system commands on a web server. Since its original issuance, the bulletin has been updated several times:
- On November 10, 2000, the bulletin was updated to clarify the scope of the issue.
- On November 21, 2000, it was updated to discuss two newly-discovered variants of the original vulnerability.
- On November 30, 2000, it was updated to discuss a newly-discovered regression error in the IIS 5.0 patch and recommend that customers apply an updated version of the patch.
The newly-discovered regression error only affects the IIS 5.0 version of the patch. It has no effect on the effectiveness of the patch against the vulnerability discussed here, but it does cause servers to be vulnerable to the "Web Server Directory Traversal" discussed in Microsoft Security Bulletin MS00-078, even if the patch provided in MS00-078 has been applied. Microsoft therefore recommends that all IIS 5.0 customers apply the new patch provided below. It protects against both the "Web Server File Request Parsing" and "Web Server Directory Traversal" vulnerabilities. The IIS 4.0 version of the patch does not contain the error, and customers who have applied the IIS 4.0 patch do not need to take any action.
- Microsoft Internet Information Server 4.0
- Microsoft Internet Information Services 5.0
Vulnerability Identifier: CVE-2000-0886
Support: This is a fully supported patch. Information on contacting Microsoft Product Support Services is available at http://support.microsoft.com/contactussupport/?ws=support.
Security Resources: The Microsoft TechNet Security Web Site provides additional information about security in Microsoft products.
The information provided in the Microsoft Knowledge Base is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.
- November 06, 2000: Bulletin Created.
- November 10, 2000: Bulletin updated to indicate that IIS 4.0 is affected when running on pre-SP6 versions of Windows NT 4.0, and to provide information on additional restrictions on the vulnerability.
- November 21, 2000: Bulletin updated to discuss availability of patch that addresses new variants of vulnerability.
- November 30, 2000: Bulletin updated to discuss regression error and recommend that customers apply updated patch.