CVE-2005-2089

Name of the Vulnerable Software and Affected Versions: Microsoft IIS versions 5.0 through 6.0

Description: The issue allows remote attackers to poison the web cache, bypass web application firewall protection, and conduct XSS attacks via an HTTP request with both a Transfer-Encoding: chunked header and a Content-Length header. This causes the server to incorrectly handle and forward the body of the request, resulting in the receiving server processing it as a separate HTTP request, also known as "HTTP Request Smuggling."

Recommendations: For Microsoft IIS versions 5.0 through 6.0, consider disabling the handling of HTTP requests with both Transfer-Encoding: chunked and Content-Length headers as a temporary workaround until a patch is available. Restrict access to sensitive web application areas to minimize the risk of exploitation. Avoid using vulnerable configurations that allow for web cache poisoning and XSS attacks. At the moment, there is no information about a newer version that contains a fix for this vulnerability.