This update resolves the "Web Server File Request Parsing" security vulnerability in Internet Information Services (IIS) 5.0 and is discussed in Microsoft Security Bulletin MS00-086. Download now to prevent a malicious user from modifying Web pages, adding, changing, or deleting files by sending malformed file requests.
When a Web server that is running IIS receives a request for a file, it passes the name of the file to the operating system for processing. If a malicious user combines a request for a .cmd or .bat file with operating system commands in a particular way, IIS improperly passes both the file request and the commands to the operating system. This could allow the malicious user to run commands directly on the Web server.