Microsoft IIS 4.0 and 5.0 are both vulnerable to double dot "../" directory traversal
exploitation if extended UNICODE character representations are used in substitution
for "/" and "\".
Unauthenticated users may access any known file in the context of the IUSR_machinename
account. The IUSR_machinename account is a member of the Everyone and Users groups by
default, therefore, any file on the same logical drive as any web-accessible file that
is accessible to these groups can be deleted, modified, or executed. Successful exploitation
would yield the same privileges as a user who could successfully log onto the system
to a remote user possessing no credentials whatsoever.
It has been discovered that a Windows 98 host running Microsoft Personal Web Server
is also subject to this vulnerability. (March 18, 2001)