A remote overflow exists in a safety check that IIS perfoms during server-side includes (SSI). IIS performs this safety check to ensure that a client-specified file is valid. It is possible to specify an invalid filename in such a way that bypasses the safety check. With a specially crafted URL, an attacker can cause either a DoS or the execution of arbitrary code, resulting in a loss of confidentiality, integrity, and/or availability.

Install Patch Q319733, as it has been reported to fix this vulnerability. It is also possible to correct the flaw by implementing the following workaround(s):

1. Disable ASP - Version 1.0 of the IIS Lockdown Tool disables ASP by default, and version 2.1 disables ASP if "Static Web Server" is selected.

2. The URLScan tool can be used to prevent code execution, but not the DoS.

• CVE ID: 2002-0149 (see also: NVD)
• Bugtraq ID: 4478
• CERT VU: 721963
• ISS X-Force ID: 8798
• CERT: CA-2002-09
• Vendor Specific Advisory URL: http://www.cisco.com/warp/public/707/Microsoft-IIS-vulnerabilities-MS02-018.shtml
• Other Solution URL: http://www.microsoft.com/downloads/search.aspx?opsysid=1&search=Keyword&value='security_patch'&displaylang=en
• Vendor Specific Solution URL: http://www.microsoft.com/technet/security/URLScan.asp
  http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/tools/locktool.asp
• Other Advisory URL: http://www.nipc.gov/warnings/advisories/2002/02-002.htm
  http://xforce.iss.net/xforce/alerts/id/advise114
• CIAC Advisory: M-066
• Microsoft Security Bulletin: MS02-018

Unknown or Incomplete