Vulnerability Note VU#717748

Microsoft Internet Information Server (IIS) 4.0 contains a buffer overflow in the redirect function

Original Release date: 14 Jul 2004 | Last revised: 14 Jul 2004


There is a vulnerability in the redirect function of Microsoft's Internet Information Server (IIS) 4.0 that could allow an attacker to execute arbitrary code on an affected system.


Internet Information Server (IIS) is a web server available for the Microsoft Windows operating system. IIS provides a redirect function that is responsible for forwarding incoming HTTP requests to another page. There is a buffer overflow vulnerability in the way the redirect function validates the length of incoming requests. By sending a specially crafted message to an affected system, an attacker could trigger a buffer overflow and potentially execute code of the attacker's choice. For more information, please refer to Microsoft Security Bulletin MS04-021.

Note: According to the Microsoft Security Bulletin, only IIS 4.0 systems are affected.


A remote, unauthenticated attacker could execute arbitrary code on an affected system.


Apply a patch as described in Microsoft Security Bulletin MS04-021.

Systems Affected (Learn More)

VendorStatusDate NotifiedDate Updated
Microsoft CorporationAffected-14 Jul 2004
If you are a vendor and your product is affected, let us know.

CVSS Metrics (Learn More)

Group Score Vector
Base N/A N/A
Temporal N/A N/A
Environmental N/A N/A



This vulnerability was reported by Microsoft.

This document was written by Damon Morda and based on information provided by Microsoft.

Other Information

  • CVE IDs: CAN-2004-0205
  • Date Public: 13 Jul 2004
  • Date First Published: 14 Jul 2004
  • Date Last Updated: 14 Jul 2004
  • Severity Metric: 10.13
  • Document Revision: 9


If you have feedback, comments, or additional information about this vulnerability, please send us email.