Re: MS IIS 5.0 Access Violation on handling URL String

From: Lark Lizerman (webmasterat_private)
Date: Sat Jan 15 2000 - 19:13:30 PST

Next message: Antonio Ropero: "Re: IIS still revealing paths for web directories"

Previous message: Patrick Oonk: "[support_feedback@us-support.external.hp.com: Security Bulletins"
Maybe in reply to: Lark Lizerman: "MS IIS 5.0 Access Violation on handling URL String"
Next in thread: David Litchfield: "Re: MS IIS 5.0 Access Violation on handling URL String"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Question:
Did you try this out on WinNT4.0 SP4,SP5,SP6 running IIS 5.0?

Fact about dataloss:
I think even if it restarts automaticly the bug MUST be fixed.
On large servers with couple of hundred clients doing downloads a restart
would still
mean abort of data transfer.
2 processes watching each other is not new to me, but the main point is
still a stable server,
another process for watching is extremely usefull but no way out.
Microsoft should prepare a fix for IIS5.0 .

I would be glad Microsoft to make a statement about the past 2 bugs and
prepare fixes (or service packs as they call ;-} )
for "ida" and "idq" extension and built on that basic my Access Violation
produced with help of the
URL structure "domain./.......//......ida".

Danger:
The fact at this point is that it is possible to crash  IIS 5.0 and the
process must be restarted what means data loss at all clients connected.
On a CreditCard transaction / Stock Systems it would mean dramatic financial
loss.
The main danger is not, that a website with few hundred visitors will become
unavailable for some seconds, but if it is a SSL System
which handles transactions get's interrupted while datatransfer. Imagine you
sell shares for 200.000$ and your order get's interrupted you may loose a
_lot_ of money. Most transactionsystems are Unix but in the past more and
more NT Systems have been used for this kind
of business.

greets
Lark Lizerman

>
>
> <SNIP>
> >I have 2 screenshots where 2 of the messages are displayed.
> >The system I have tried it out is a cluster where each backups the other
on
> case of failure.
> >Because of that reason I can not guaranteed say if the process dies or
not,
> because I got redirected to another server.
>
> <SNIP>
>
> IIS5 on Windows 2000 has a resilience system built in where if the
> inetinfo.exe process crashes it will automatically restart - the program
> that does this is %systemroot%\system32\iisreset.exe with a
/fail=failreason
> option. This causes an errorlog to be written to the event log and IIS5 is
> brought back up. This is good for websites that require maximum uptime.
>
> Cheers,
> David Litchfield
> http://www.cerberus-infosec.co.uk/
>
>
>

Next message: Antonio Ropero: "Re: IIS still revealing paths for web directories"
Previous message: Patrick Oonk: "[support_feedback@us-support.external.hp.com: Security Bulletins"
Maybe in reply to: Lark Lizerman: "MS IIS 5.0 Access Violation on handling URL String"
Next in thread: David Litchfield: "Re: MS IIS 5.0 Access Violation on handling URL String"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:28:30 PDT