Microsoft IIS version 6.0 contains a flaw which may allow an attacker
to cause a denial of service condition (service hang) or read arbitrary
physical device streams (COM, LPT) by specifying a DOS device name in a
GET request whose URI contains a '/' character immediately before and
after the name of a DOS device.
According to Microsoft Security Response Center (MSRC).
"Non vulnerability in II 6.0/ASP.NET. Microsoft has completed the
investigation into the public proof of concept code that claims to
demonstrate a vulnerability in IIS 6.0. Our investigation has found
that the claims are incorrect and that the proof of concept code
does not take advantage of a vulnerability in IIS 6.0.
Additionally, the code in question incorrectly claims to use IIS 6.0.
Our investigation has shown the code in question actually uses ASP.NET.
Our investigation has shown that the code has no impact against systems
running ASP.NET 2.0. Systems running ASP.NET 1.1 may experience a
temporary disruption when receiving a large volume of concurrent
requests containing this code. However, as soon as the requests are no
longer submitted, the system returns to normal operation.