CVE-2002-0072 - Vulnerability Details - OpenCVE

The w3svc.dll ISAPI filter in Front Page Server Extensions and ASP.NET for Internet Information Server (IIS) 4.0, 5.0, and 5.1 does not properly handle the error condition when a long URL is provided, which allows remote attackers to cause a denial of service (crash) when the URL parser accesses a null pointer.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact None

Integrity Impact None

Availability Impact Partial

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Microsoft	Internet Information Server Internet Information Services

Configuration 1 [-]

OR	cpe:2.3:a:microsoft:internet_information_server:4.0:::::::*
	cpe:2.3:a:microsoft:internet_information_services:5.0:::::::*

No data.

References

Link	Providers
http://marc.info/?l=bugtraq&m=101853851025208&w=2
http://www.cert.org/advisories/CA-2002-09.html
http://www.cisco.com/warp/public/707/Microsoft-IIS-vulnerabilities-MS02-018.shtml
http://www.iss.net/security_center/static/8800.php
http://www.kb.cert.org/vuls/id/521059
http://www.osvdb.org/3326
http://www.securityfocus.com/bid/4479
https://docs.microsoft.com/en-us/security-updates/securitybulletins/2002/ms02-018

History

No history.

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2003-04-02T05:00:00

Updated: 2024-08-08T02:35:17.469Z

Reserved: 2002-02-21T00:00:00

Link: CVE-2002-0072

Vulnrichment

No data.

NVD

Status : Deferred

Published: 2002-04-22T04:00:00.000

Modified: 2025-04-03T01:03:51.193

Link: CVE-2002-0072

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2002-04-10T00:00:00", "descriptions": [{"lang": "en", "value": "The w3svc.dll ISAPI filter in Front Page Server Extensions and ASP.NET for Internet Information Server (IIS) 4.0, 5.0, and 5.1 does not properly handle the error condition when a long URL is provided, which allows remote attackers to cause a denial of service (crash) when the URL parser accesses a null pointer."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2011-07-17T00:00:00", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"name": "4479", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/4479"}, {"name": "VU#521059", "tags": ["third-party-advisory", "x_refsource_CERT-VN"], "url": "http://www.kb.cert.org/vuls/id/521059"}, {"name": "iis-isapi-filter-error-dos(8800)", "tags": ["vdb-entry", "x_refsource_XF"], "url": "http://www.iss.net/security_center/static/8800.php"}, {"name": "20020411 KPMG-2002009: Microsoft IIS W3SVC Denial of Service", "tags": ["mailing-list", "x_refsource_BUGTRAQ"], "url": "http://marc.info/?l=bugtraq&m=101853851025208&w=2"}, {"name": "MS02-018", "tags": ["vendor-advisory", "x_refsource_MS"], "url": "https://docs.microsoft.com/en-us/security-updates/securitybulletins/2002/ms02-018"}, {"name": "3326", "tags": ["vdb-entry", "x_refsource_OSVDB"], "url": "http://www.osvdb.org/3326"}, {"name": "CA-2002-09", "tags": ["third-party-advisory", "x_refsource_CERT"], "url": "http://www.cert.org/advisories/CA-2002-09.html"}, {"name": "20020415 Microsoft IIS Vulnerabilities in Cisco Products - MS02-018", "tags": ["vendor-advisory", "x_refsource_CISCO"], "url": "http://www.cisco.com/warp/public/707/Microsoft-IIS-vulnerabilities-MS02-018.shtml"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2002-0072", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "The w3svc.dll ISAPI filter in Front Page Server Extensions and ASP.NET for Internet Information Server (IIS) 4.0, 5.0, and 5.1 does not properly handle the error condition when a long URL is provided, which allows remote attackers to cause a denial of service (crash) when the URL parser accesses a null pointer."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "4479", "refsource": "BID", "url": "http://www.securityfocus.com/bid/4479"}, {"name": "VU#521059", "refsource": "CERT-VN", "url": "http://www.kb.cert.org/vuls/id/521059"}, {"name": "iis-isapi-filter-error-dos(8800)", "refsource": "XF", "url": "http://www.iss.net/security_center/static/8800.php"}, {"name": "20020411 KPMG-2002009: Microsoft IIS W3SVC Denial of Service", "refsource": "BUGTRAQ", "url": "http://marc.info/?l=bugtraq&m=101853851025208&w=2"}, {"name": "MS02-018", "refsource": "MS", "url": "https://docs.microsoft.com/en-us/security-updates/securitybulletins/2002/ms02-018"}, {"name": "3326", "refsource": "OSVDB", "url": "http://www.osvdb.org/3326"}, {"name": "CA-2002-09", "refsource": "CERT", "url": "http://www.cert.org/advisories/CA-2002-09.html"}, {"name": "20020415 Microsoft IIS Vulnerabilities in Cisco Products - MS02-018", "refsource": "CISCO", "url": "http://www.cisco.com/warp/public/707/Microsoft-IIS-vulnerabilities-MS02-018.shtml"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-08T02:35:17.469Z"}, "title": "CVE Program Container", "references": [{"name": "4479", "tags": ["vdb-entry", "x_refsource_BID", "x_transferred"], "url": "http://www.securityfocus.com/bid/4479"}, {"name": "VU#521059", "tags": ["third-party-advisory", "x_refsource_CERT-VN", "x_transferred"], "url": "http://www.kb.cert.org/vuls/id/521059"}, {"name": "iis-isapi-filter-error-dos(8800)", "tags": ["vdb-entry", "x_refsource_XF", "x_transferred"], "url": "http://www.iss.net/security_center/static/8800.php"}, {"name": "20020411 KPMG-2002009: Microsoft IIS W3SVC Denial of Service", "tags": ["mailing-list", "x_refsource_BUGTRAQ", "x_transferred"], "url": "http://marc.info/?l=bugtraq&m=101853851025208&w=2"}, {"name": "MS02-018", "tags": ["vendor-advisory", "x_refsource_MS", "x_transferred"], "url": "https://docs.microsoft.com/en-us/security-updates/securitybulletins/2002/ms02-018"}, {"name": "3326", "tags": ["vdb-entry", "x_refsource_OSVDB", "x_transferred"], "url": "http://www.osvdb.org/3326"}, {"name": "CA-2002-09", "tags": ["third-party-advisory", "x_refsource_CERT", "x_transferred"], "url": "http://www.cert.org/advisories/CA-2002-09.html"}, {"name": "20020415 Microsoft IIS Vulnerabilities in Cisco Products - MS02-018", "tags": ["vendor-advisory", "x_refsource_CISCO", "x_transferred"], "url": "http://www.cisco.com/warp/public/707/Microsoft-IIS-vulnerabilities-MS02-018.shtml"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2002-0072", "datePublished": "2003-04-02T05:00:00", "dateReserved": "2002-02-21T00:00:00", "dateUpdated": "2024-08-08T02:35:17.469Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:microsoft:internet_information_server:4.0:*:*:*:*:*:*:*", "matchCriteriaId": "5D47E9C4-5439-4A82-BBD8-D6B482B47E51", "vulnerable": true}, {"criteria": "cpe:2.3:a:microsoft:internet_information_services:5.0:*:*:*:*:*:*:*", "matchCriteriaId": "413C07EA-139F-4B7D-A58B-835BD2591FA0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "The w3svc.dll ISAPI filter in Front Page Server Extensions and ASP.NET for Internet Information Server (IIS) 4.0, 5.0, and 5.1 does not properly handle the error condition when a long URL is provided, which allows remote attackers to cause a denial of service (crash) when the URL parser accesses a null pointer."}, {"lang": "es", "value": "Un filtro ISAPI en las Extensiones de Servidor de Front Page y ASP.NET para Internet Information Server (IIS) 4.0, 5.0 y 5.1 no maneja adecuadamente la condici\u00f3n de error cuando se provee una URL larga, lo que permite a atacantes remotos causar una denegaci\u00f3n de sevicio (ca\u00edda)."}], "id": "CVE-2002-0072", "lastModified": "2025-04-03T01:03:51.193", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 5.0, "confidentialityImpact": "NONE", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}]}, "published": "2002-04-22T04:00:00.000", "references": [{"source": "cve@mitre.org", "url": "http://marc.info/?l=bugtraq&m=101853851025208&w=2"}, {"source": "cve@mitre.org", "tags": ["US Government Resource"], "url": "http://www.cert.org/advisories/CA-2002-09.html"}, {"source": "cve@mitre.org", "url": "http://www.cisco.com/warp/public/707/Microsoft-IIS-vulnerabilities-MS02-018.shtml"}, {"source": "cve@mitre.org", "url": "http://www.iss.net/security_center/static/8800.php"}, {"source": "cve@mitre.org", "tags": ["US Government Resource"], "url": "http://www.kb.cert.org/vuls/id/521059"}, {"source": "cve@mitre.org", "url": "http://www.osvdb.org/3326"}, {"source": "cve@mitre.org", "url": "http://www.securityfocus.com/bid/4479"}, {"source": "cve@mitre.org", "url": "https://docs.microsoft.com/en-us/security-updates/securitybulletins/2002/ms02-018"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://marc.info/?l=bugtraq&m=101853851025208&w=2"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["US Government Resource"], "url": "http://www.cert.org/advisories/CA-2002-09.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.cisco.com/warp/public/707/Microsoft-IIS-vulnerabilities-MS02-018.shtml"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.iss.net/security_center/static/8800.php"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["US Government Resource"], "url": "http://www.kb.cert.org/vuls/id/521059"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.osvdb.org/3326"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.securityfocus.com/bid/4479"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://docs.microsoft.com/en-us/security-updates/securitybulletins/2002/ms02-018"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-Other"}], "source": "nvd@nist.gov", "type": "Primary"}]}