VULHUB ™

The SSL ISAPI filter that ships with IIS 4 is vulnerable to an error that could allow sensitive, normally encrypted information to be transmitted in plaintext to the client. The error is in the way that the filter handles simultaneous threads. Under heavy load conditions, a multi-threaded client application could cause the server to transmit one buffer of data unencrypted and then to terminate the connection. While the data is sent only to the client machine, the risk is that an attacker sniffing the connection could also receive the plaintext content.

The SSL ISAPI filter that ships with IIS 4 is vulnerable to an error that could allow sensitive, normally encrypted information to be transmitted in plaintext to the client. The error is in the way that the filter handles simultaneous threads. Under heavy load conditions, a multi-threaded client application could cause the server to transmit one buffer of data unencrypted and then to terminate the connection. While the data is sent only to the client machine, the risk is that an attacker sniffing the connection could also receive the plaintext content.