• News
• Infocus
• Foundations
• Microsoft
• Unix
• IDS
• Incidents
• Virus
• Pen-Test
• Firewalls
• Columnists
• Mailing Lists
• Newsletters
• Bugtraq
• Focus on IDS
• Focus on Linux
• Focus on Microsoft
• Forensics
• Pen-test
• Security Basics
• Vuln Dev
• Vulnerabilities
• Jobs
• Job Opportunities
• Resumes
• Job Seekers
• Employers
• Tools
• RSS
• News
• Vulns
• Security Research

• info
• discussion
• exploit
• solution
• references

Microsoft IIS 4.0/5.0 Session ID Cookie Disclosure Vulnerability

Solution:
Microsoft has released patches which eliminate the vulnerability. Microsoft re-released the patches on November 20, 2000 because the original IIS 4.0 Alpha and IIS 5.0 x86 patch did not install properly. Those who applied the IIS 4.0 x86 patch do not need to take any further action because the patch did not contain an error. The IIS 4.0 Alpha patch is available from Microsoft Product Support Services.


Microsoft IIS 4.0

• Microsoft Q274149
  http://download.microsoft.com/download/winntsp/Patch/Q274149/NT4/EN-US /secsesi.exe

Microsoft IIS 5.0

• Microsoft Q274149
  http://download.microsoft.com/download/win2000platform/Patch/Q274149/N T5/EN-US/Q274149_W2K_SP2_x86_en.EXE