search menu icon-carat-right cmu-wordmark

CERT Coordination Center

Microsoft Internet Information Server 4.0 (IIS) vulnerable to DoS when URL redirecting is enabled

Vulnerability Note VU#544555

Original Release Date: 2001-08-14 | Last Revised: 2001-08-14


A vulnerability in IIS 4.0 may permit intruders to crash vulnerable IIS servers with URL redirection enabled.


A vulnerability in Microsoft IIS 4.0 allows an attacker to crash IIS 4.0 servers if they are configured to use URL redirection. URL redirection is not used by default. This vulnerability is exercised by the Code Red worm, but is distinct from the vulnerability that allows the worm to compromise systems. For more information, please see

No patch is available at this time. Due to the large numbers of systems still infected with Code Red as of this writing, it is likely that systems running IIS 4.0 with redirection enabled will have difficulty maintaining normal operation until and unless URL redirection is disabled, or until a patch is available.


Intruders can crash vulnerable IIS 4.0 systems. IIS 5.0 is not affected.


No patch is currently available.

Until a patch is available disable URL redirection on your system.

Vendor Information


Microsoft Affected

Updated:  August 14, 2001



Vendor Statement

For more information, see

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.


The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

CVSS Metrics

Group Score Vector



Our thanks to Microsoft for the information contained on their web site.

This document was written by Shawn V. Hernan.

Other Information

CVE IDs: None
Severity Metric: 22.50
Date Public: 2001-08-13
Date First Published: 2001-08-14
Date Last Updated: 2001-08-14 19:55 UTC
Document Revision: 9

Sponsored by CISA.