Following on from the last .asp vulnerability which applied to
URLs ending in spaces, and the previous that allowed .asps to
be read if they end in ".", it turns out that there is yet
another due to Alternate data streams.
The unnamed data stream is normally accessed using the filename
itself, with further named streams accessed as filename:stream.
However, the unnamed data stream can also be accessed using filename::$DATA.
If you open http://company.com/script.asp::$DATA it turns out
that you will be presented with the source of the ASP instead
of the output.
Fix for this problem
Fixes are avaiable at http://www.microsoft.com/security.