[原文]IIS 4.0 and Site Server 3.0 allow remote attackers to read source code for ASP files if the file is in a virtual directory whose name includes extensions such as .com, .exe, .sh, .cgi, or .dll, aka the "Virtual Directory Naming" vulnerability.
Microsoft IIS Virtual Directory ASP Source Disclosure
Remote / Network Access
Loss of Confidentiality
Microsoft IIS and Site Server contain a flaw that may allow a remote attacker to gain access to ASP page source code. The issue is triggered when ASP files are stored in virtual directories whose names include extensions such as .com, .exe, .sh, .cgi, or .dll. When an attacker requests such a file, the server will return the source code instead of processing the file normally.
Currently, there are no known workarounds or upgrades to correct this issue. However, Microsoft has released a patch to address this vulnerability.