CVE-1999-0867

Internet Information Server 4.0 - Denial of Service via Malformed HTTP Headers

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-1999-0867. PoCs published by Nobuo Miwa.

AI-analyzed exploit summary This exploit demonstrates a denial-of-service (DoS) vulnerability in Microsoft IIS and related products by flooding the server with malformed HTTP request headers containing excessively long 'Host' fields, causing memory exhaustion and service disruption.

Description

Denial of service in IIS 4.0 via a flood of HTTP requests with malformed headers.

Exploits (1)

exploitdb WORKING POC VERIFIED
by Nobuo Miwa · textdosmultiple
https://www.exploit-db.com/exploits/19457

This exploit demonstrates a denial-of-service (DoS) vulnerability in Microsoft IIS and related products by flooding the server with malformed HTTP request headers containing excessively long 'Host' fields, causing memory exhaustion and service disruption.

Classification
Working Poc 90%
Attack Type
Dos
Complexity
Trivial
Reliability
Reliable
Target: Microsoft Commercial Internet System 2.0/2.5, IIS 4.0, Site Server Commerce Edition 3.0 alpha/3.0 i386
No auth needed
Prerequisites: Network access to the target IIS server
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (4)

Core 4
Core References
Vendor Advisory vendor-advisory x_refsource_mskb
http://support.microsoft.com/default.aspx?scid=kb%3B%5BLN%5D%3BQ238349
Third Party Advisory, US Government Resource third-party-advisory government-resource x_refsource_ciac
http://www.ciac.org/ciac/bulletins/j-058.shtml
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/579

Scores

EPSS 0.2208
EPSS Percentile 97.4%

Details

CWE
CWE-20
Status published
Products (4)
microsoft/commercial_internet_system 2.0
microsoft/commercial_internet_system 2.5
microsoft/internet_information_server 4.0
microsoft/site_server 3.0 unknown
Published Aug 11, 1999
Tracked Since Feb 18, 2026