ASP/File security issue

A costumer of mine just informed me that he can access the root of my server and surf the whole lot. Even write files and directories to anywhere he desire. I run a Windows 2003 server. By using a file called drives.asp and setting it to root, like this: /drives.asp?path=c: he have full access. drives.asp is a filemanager for asp.

Does anyone know how to avoid this ?

The server is a Windows 2003 server and is setup nearly default, Using IIS.

Any comments please?

 

 

 

 

Top