Microsoft IIS 4.0 and 5.0 can be made to disclose fragments of source code which should otherwise be inaccessible. This is done by appending +.htr to a request for a known .asp (or .asa, .ini, etc) file.
.htr script mappings should be removed if not required. - open Internet Services Manager - right click on the web server and select properties - select WWW service > Edit > Home Directory > Configuration - remove the application mappings reference to .htr If .htr functionality is required, install the relevant patches from Microsoft (MS01-004)
Updated on 2015-03-25