Georgi Guninski security advisory #40 - Security bugs in interactions between IE 5.x, IIS 5.0 and Exchange 2000. If a malicious web page is browsed with IE it is possible to list the directories of arbitrary IIS 5.0 servers to which the browsing user has access. Under certain circumstances it is also possible to read the user's email or folders if it is stored on an Exchange 2000 server with web storage (it uses IIS 5.0). It is also possible to create (or probably modify) files on the Exchange 2000 server with web storage. Example exploit included.
205a751214009b7efd4735ff3f131ee63a782759f29f253d522602889ff54916