Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email firstname.lastname@example.org
From: Richard M. Smith (rmsPRIVACYFOUNDATION.ORG)
Date: Tue Apr 17 2001 - 06:32:57 CDT
>>> Microsoft ISA server includes a web proxy component
>>> (W3PROXY.EXE) that is used for both the "publishing"
>>> of internal web servers to the external network
>>> and for proxying of internal requests to external web servers.
>>> Sending a URL with a long pathname component to this proxy
>>> will cause it to terminate with an access violation error.
>>> For example, sending the (valid) HTTP request:
>>> GET http://hostname/aaa[3000 more occurences of 'a'] HTTP/1.0\n\n
>>> to port 80 on the ISA Server's external interface will cause
>>> W3PROXY.EXE to terminate with an access violation.
I don't have access to an ISA server for testing, but this DoS attack
might also be exploitable from an HTML email message by
an outsider using the following <IMG> tag embedded in
<img src=http://hostname/aaa[3000 more occurences of 'a']>
Another method of generating the DoS attack would be to
the "src" property of an Image object. This code could
also be embedded in an HTML email message.