[原文]Microsoft IIS 5.1 and 6 allows remote attackers to spoof the SERVER_NAME variable to bypass security checks and conduct various attacks via a GET request with an http://localhost URI, which makes it appear as if the request is coming from localhost.
Microsoft IIS SERVER_NAME Variable Spoofing Filter Bypass
Remote / Network Access
Loss of Confidentiality,
Loss of Integrity
Microsoft IIS contains a flaw that may allow a malicious user to gain access to unauthorized privileges. The issue is triggered when a URL is supplied spoofing the server name in the http GET request. Server scripts that allow elevated privileges when accessed locally may be fooled into thinking a remote request is from a local user. This flaw may lead to a loss of confidentiality or integrity.
Currently, there are no known upgrades or patches to correct this issue. It is possible to correct the flaw by implementing the following workarounds: Replace the '(strServername = "localhost")' check in each vulnerable script with '(strServerIP = strRemoteIP)', as the 'strServerIP' variable cannot be manipulated by a remote user. Another possible workaround is to add a new site to IIS with the host header name set to "localhost", with a root directory either containing only static content, or pointing to an empty folder with no permissions.