Users login

Create an account »


Users login

Home » Hacking News » IIS WebDav Lock Method Memory Leak DoS Vulnerability

IIS WebDav Lock Method Memory Leak DoS Vulnerability

by platon on May 20th, 2001 Microsoft IIS 5.0 is vulnerable to a denial of service attack...

A flaw in the WebDav extensions allow a remote attacker to carry out a DoS by repeatedly requesting nonexistent files via the HTTP LOCK method.

This leads to a complete consumption of memory resources, eventually crashing the host and requiring a restart.


LOCK /aaaaaaaaaaaaaaaaaaaaaaaaaa.htw HTTP/1.0

One way is to combine the attack with asp executions, eg.

GET /iisstart.asp?uc=a HTTP/1.0


The problem has been corrected in httpext.dll v.0.9.3940.21, which is packaged with Windows 2000 Service Pack 2 and according to Microsoft:

"it will ship with each IIS5 hotfix that we release going forward (and will be available for SP0, SP1, and SP2+.)"

You can find Service Pack 2 on Microsofts webpage at:

Reported to bugtraq by Defcom Labs in advisory def-2001-26 dated May 17, 2001


Newsletter signup

Signup to our monthly newsletter and stay in touch with IT news!

Free E-books

We've got ebooks! But they're not online. :( Please give us a few days to bring downloads back.


Have something to say or just wanna drop us a line? Please keep this in mind: to spam, we reply with spam.

Contact us »