[14834] in bugtraq
Re: shtml.exe reveal local path of IIS web directory
daemon@ATHENA.MIT.EDU (Security)
Mon May 8 14:06:18 2000
Mime-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: 8bit
Message-Id: <00be01bfb8f1$a47344b0$94ab1ad1@neosmart.com>
Date: Mon, 8 May 2000 09:30:57 -0400
Reply-To: Security <security@NEOSMART.COM>
From: Security <security@NEOSMART.COM>
X-To: BugTraq <bugtraq@securityfocus.com>
To: BUGTRAQ@SECURITYFOCUS.COM
I tried to recreate your problem on my test Windows 2000 box running IIS and
FrontPage 2000 Ext.s.
However I did not get the error you speak of.
Instead I get a different string,
Cannot open "/Space/###.###.##/###/Server/Documents/blah.html": no such file
or folder.
where # stands for ummm a number.
I do still of course get,
Cannot run the FrontPage Server Extensions' Smart HTML interpreter on this
non-HTML page: "blah.exe"
when a non-existant filename without html, shtml, asp.. etc. is called on.
What FrontPage ver. are you running on your server?
I've heard of several problems with Frontpage 98 on Win2k.
Not to mention the other hundred thousand problems with win2k.
Greg
----- Original Message -----
From: Frankie Zie <root@CNNS.NET>
To: <BUGTRAQ@SECURITYFOCUS.COM>
Sent: Saturday, May 06, 2000 7:16 PM
Subject: shtml.exe reveal local path of IIS web directory
> I found there is a security problem about shtml.exe that
> allows anyone to explore the local path of IIS web server.
> Tested on windows2000 server.shtml.exe is a program issued
> with Forntpage Extention server for viewing smart HTML
> file, If we install Frontpage on Windows2000 server, a
> directory names "/_vti_bin" will be installed on web root
> directory. Normally we can view HTML file
> or SHTML file by the following method:
> http://210.145.32.98/_vti_bin/shtml.exe/postinfo.html
> shtml.exe only accepts html!"shtml or htm files, if the
> requested file does not exist, we will get the local path
> of the web directory:
>
> http://207.69.190.42/_vti_bin/shtml.exe/postinfo1.html
>
> We get the following message:
> Cannot open "d:\inetpub\wwwroot\postinfo1.html": no such
> file or folder.
>
> By the way, if we request file that does not exist and the
> extention file name is not html, shtml or asp, such as
> http://207.69.190.42/_vti_bin/shtml.exe/postinfo1.exe,
> We'll get different message:
> Cannot run the FrontPage Server Extensions' Smart HTML
> interpreter on this non-HTML page: "postinfo1.exe"
