Microsoft Web server security flaws documented
Microsoft's freely available Internet Information Server (IIS) software
shared a bug with other Windows NT browsers that permitted a malicious
user to cause arbitrary commands to be executed by the server. A detailed
description of the bug by Andy Baron is available at
http://www.omna.com/iis-bug.htm. Microsoft released a fix and a new
version of IIS; versions downloaded after March 5, 1996 are not
supposed to have the bug. However, there is some disagreement over
whether or not the revised IIS is not in fact vulnerable to a similar,
but slightly more complex attack. See
http://www.omna.com/yes/AndyBaron/iis-bug2.htm for details.