COMMAND

    Microsoft Internet Information Server

SYSTEMS AFFECTED

    NT 4.0, IIS 1.0

PROBLEM

    A URL such as  'http://www.domain.com/..\..' allows you to  browse
    and  download  files  outside   of  the  webserver  content   root
    directory.

    A  URL  such  as   'http://www.domain.com/scripts..\..\scriptname'
    allows you to execute the target script.

    By default user 'Guest' or  IUSR_WWW has read access to  all files
    on an NT disk. These files can be browsed, executed or  downloaded
    by wandering guests.

    For verification check:

        http://www.omna.com/iis-bug.htm

SOLUTION

    Upgrade your vrsion of IIS.