Microsoft Internet Information Server v 1.0 ".bat" Security Bug
.bat and .cmd BUG is well-known in Netscape server and described in WWW security FAQ Q59
- undocumented remote administration feature
IIS Web server maps .bat and .cmd extensions to cmd.exe
1) IIS Web server allows a hacker to execute his "batch file" by typing /scripts/abracadabra.bat?&COMMAND1+?&COMMAND2+?&...+?&COMMANDN
In a similar situation with the Netscape server, only single command can be executed.
2) There is no file abracadabra.bat in /scripts directory, but .bat extension is mapped to C:\WINNT35\System32\cmd.exe
In a similar situation with the Netscape server, actual .bat file must exist.
3) In case a hacker enters a command like "time" or "date" as COMMAND[N], nothing will be logged by IIS Web server.
In a similar situation with the Netscape server, the error log will have a record about remote IP and command you trying to execute.>
4. Workaround
Disable .BAT and .CMD file extensions for external CGI scripts in file mapping feature of IIS Web server.