IIS 5.0 and 4.0 allows remote attackers to read the source code for executable web server programs by appending β%3F+.htrβ to the requested URL, which causes the files to be parsed by the .HTR ISAPI extension, aka a variant of the βFile Fragment Reading via .HTRβ vulnerability.