As pointed out in this blog entry and verified in Microsoft's knowledge base, Microsoft is giving out some pretty dangerous security advice on how to set up Python CGI. Basically, the IIS mapping the recommend for Python CGI is "C:\Python20\python.exe %s %s". The problem, as noted in the blog:
Unfortunately this is not just wrong, but possibly dangerous. The first problem is that it'll break if a CGI script's filename has a space in it, because everything after the space becomes parameters to the script. Secondly, if the script name starts with a hyphen, it become a flag to the Python interpreter. And there are some dangerous flags—for example -c allows you to execute any Python code.
If the ‘check file exists’ option is turned on, this is only an annoyance in that you can't use script names with these characters in. However if turned off an attacker would be able to abuse these holes without you having to provide a script with a weird name.
The solution is to put the ‘%s’s in quotes, and ensure that the ‘check file exists’ option is always on.
Oh, wait! Naturally, I had to do some digging. Looks like they have similarly bogus advice for Perl. Curiously, the latter link shows up as a blank page in my Firefox but renders just fine in IE.