Unusal response from IIS with some file names

["Woch, Wojciech" <Woch_W () ADMIRAL FR>]

Hello,

IIS v4.0 seems to give an usual response when non-existing files ending with
one of the following sequences of characters are requested:

:~n
|~n
~n:
~n|

where "n" stands for a number between 0-9 (ex: GET /file:~1). Instead of the
regular 404, we get

        HTTP/1.1 500 Server Error
        Server: Microsoft-IIS/4.0
        Date: Mon, 12 Mar 2001 17:08:27 GMT
        Content-Type: text/html
        Content-Length: 126

        <html><head><title>Error</title></head><body>The filename,
        directory name, or volume label syntax is incorrect.
        </body></html>

The text corresponds to the WIN32 status code #123, that can be seen under
sc-win32-status in the log files, as if the message was received directly
from the OS. Normally, special characters that induce a WIN32 status of 123
are show in the log, but a 404 is still returned instead of the effective
error message from the OS (ex: GET /file||1). This behaviour seems to be
introduced by MS00-30 (at least it shows up after installing IIS with
defaults + MS00-30 on NT 4.0).

Trying to pipe commands directly following the file name with regular shell
escapes (&|) or overflowing (returns to a 404 after about 278 characters)
doesn't give up much, maybe someone can push it a little further/has an idea
about the issue?