Severity rating


Discovered date

Attack vector

Authentication required

Public exploits available

Signature detection

On this page


A buffer overrun exist in IIS when it processes HTTP header information in certain cases. IIS performs a safety check prior to parsing the fields in HTTP headers, to ensure that expected delimiter fields are present and in reasonable places, but it is possible to spoof the check, and convince IIS that the delimiters are present even when they are not.


An attacker could overwrite program code on the server with new program code, in essence modifying the functionality of the server software.

Technical details (analysis)

ISAPI filter is API extension for HTTP server. Specifically when IIS receives an HTTP request, it performs some checks on the HTTP headers. By specially crafting a header, it is possible to make IIS conclude that the delimiting characters are present when in fact they aren't. The vulnerability results because of an error that occurs when Active Server Pages parse HTTP header information. An initial check is performed, with the goal of ensuring that required delimiters are present in the information and in reasonable locations before moving the information in a buffer for processing. However, the check can be spoofed, with a buffer overrun as the result.

Affected software

Microsoft Internet Information Server 4.0
Microsoft Internet Information Services 5.0
Microsoft Internet Information Services 5.1

Non-affected software

All IIS versions not on the affected list.



NIS signature

Name: Vulnerability:Win/IIS.ISAPI.RCE!CAN-2002-0150
Release Date: 2002-04-10T00:00:00

Known false positives

No known false positives at this time.


The vulnerability requires that Active Server Pages (ASP) be enabled on the system in order to be exploited. Version 1.0 of the IIS Lockdown Tool removes ASP by default, and the current version (version 2.1) removes it by default if Static Web Server has been selected.
URLScan tool's default ruleset would likely limit the attacker to using this vulnerability for denial of service attacks only.