cbcvebase.
CVE-1999-0448
published 1999-01-01

CVE-1999-0448: IIS 4.0 and Apache log HTTP request methods, regardless of how long they are, allowing a remote attacker to hide the URL they really request.

PriorityP423medium5CVSS 2.0
AVNACLAuNCPINAN
EXPLOIT
EPSS
24.19%
97.6th percentile
IIS 4.0 and Apache log HTTP request methods, regardless of how long they are, allowing a remote attacker to hide the URL they really request.

Affected

1 ranges
VendorProductVersion rangeFixed in
microsoftinternet_information_server

Detection & IOCsextracted from sources · hover to see the quote

commandHTTP REQUEST_METHOD padded to 10141 bytes followed by ' /default.asp HTTP/1.0\n\n'
  • HTTP requests with a REQUEST_METHOD field exceeding 10150 bytes will not be logged by IIS 4.0, enabling log evasion; detect oversized HTTP method fields at the network layer.
  • Look for HTTP requests where the method field is padded with repeated 'A' characters to reach 10141+ bytes before the actual URI and protocol string.
  • Both IIS 4.0 and Apache are affected; monitor for abnormally large HTTP method tokens in raw network traffic regardless of server platform.
  • ·IIS 4.0 server-side logging is silently bypassed when the HTTP request method exceeds the threshold; server logs cannot be relied upon as a sole detection mechanism for this attack.
  • ·Apache is also affected by the same log-avoidance behaviour for oversized HTTP request methods, broadening the scope beyond IIS.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.