说白了和大家现在用的情况差不多了 /xxx.asp/aaa.gif FROM yuange 
The following test:
      1, the environment, the latest patch win2003 iis6;
      2, configure, make maps. Ida -> c: \ windows \ system32 \ idq.dll,. Php-> c: \ php \ php.exe
      3, test, first open the procexp to view the process environment variables, request: 
http://127.0.0.1/test.php/bb.ida
          W3wp.exe process quickly with procexp open a new process under the php.exe, view the environment variables:
          SCRIPT_NAME = / test.php
          PATH_INFO = / test.php / bb.idq
          PATH_TRANSLATED = c: \ inetpub \ wwwroot \ test.php \ bb.ida
     Indicating the request http://127.0.0.1/test.php/bb.ida, IIS6 identification is mapped. Php, cgi and variable 
PATH_TRANSLATED is the execution of the program script, PATH_TRANSLATED = c: \ inetpub \ wwwroot \ test.php \ bb. ida, 
that to carry out. ida file.
     "What that means is, that I can go to any implementation of an interpreter of a mapping file."
     The consequences of a simple script file contents can leak, severe control of the server can execute the command.
 
曾经发给ms的测试说明,不过ms的开发人员认为不是漏洞,真有意思,非得让提供成功测试案例.懒得再和他们开发人员说了.
 
 
 如下测试:
      1、环境,最新补丁的win2003+iis6;
      2、配置,做映射 .ida  ->  c:\windows\system32\idq.dll, .php-> c:\php\php.exe
      3、测试,先打开procexp用于查看进程环境变量,请求:http://127.0.0.1/test.php/bb.ida
          迅速用procexp打开w3wp.exe进程下新进程php.exe,查看环境变量:
          SCRIPT_NAME=/test.php
          PATH_INFO=/test.php/bb.ida
          PATH_TRANSLATED=c:\inetpub\wwwroot\test.php\bb.ida
     说明请求http://127.0.0.1/test.php/bb.ida,IIS6识别是映射.php,而变量PATH_TRANSLATED是cgi程序执行的脚本, 
PATH_TRANSLATED=c:\inetpub\wwwroot\test.php\bb.ida,说明去执行了.ida文件。
     “那意思是什么呢,就是说我可以任意以一种解释程序去执行一种影射文件”。
     简单的后果是可以泄露脚本文件内容,严重的就可以执行命令控制服务器。