source: http://www.securityfocus.com/bid/189/info

Web-based administration for IIS 4.0 is, by default, limited to the local loopback address, 127.0.0.1. In instances where IIS4.0 was installed as an upgrade to IIS 2.0 or 3.0, a legacy ISAPI DLL (ISM.DLL) is left in the /scripts/iisadmin directory. An attacker may call this DLL via the following syntax:

http://www.server.com/scripts/iisadmin/ism.dll?http/dir

This URL prompts the user for a username/password to access the remote administration console. Although approved access does not permit the user to commit changes to the IIS server, it may allow them to gather sensitive information about the web server and its configuration.
源链接

Hacking more

...