[14841] in bugtraq
Re: shtml.exe reveal local path of IIS web directory
daemon@ATHENA.MIT.EDU (Dimitri van de Giessen)
Mon May 8 16:03:37 2000
Message-Id: <20000508045953.27859.qmail@securityfocus.com>
Date: Mon, 8 May 2000 04:59:53 -0000
Reply-To: Dimitri van de Giessen <info@IS-WATCH.NL>
From: Dimitri van de Giessen <info@IS-WATCH.NL>
X-To: bugtraq@securityfocus.com
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <20000506231635.11347.qmail@securityfocus.com>
This are responses of microsoft security team:
Hi Dmitri -
Wanted to get back in touch and let you know what we've
found. As you reported, the error message does provide
information about the location of the files on the server.
However, by itself this isn't a security vulnerability --
that is, it wouldn't allow someone to compromise data on
the server, prevent legitimate users from being serviced,
or usurp administrative control over the machine. However,
it could be useful as a reconnaissance tool, and we will
definitely fix it. We're going to be delivering a service
release via the web (OSR 1.2) very soon, and we have
already made the needed changes.
Thanks again for reporting this issue to us, and we look
forward to working with you again in the future. Best
regards,
Secure@microsoft.com
From: Gabe Bratton
Sent: Thursday, May 04, 2000 9:44 AM
To: Microsoft Security Response Center; Rohit Wad
Cc: Tom Gallagher; Arthur Tanaka; Tad Coburn
Subject: RE: SHTML.DLL Reveals Location of Web Files [MSRC
217]
I spoke with Rohit this morning, and we will fix this for
SR1.2.
Tom - Rohit will make a private release today. When you get
a chance, please port O10 bug 11197 to the Office 9 raid
database (if you have not already) and assign it to Rohit.
The fix by for this bug will be SR2 and eventually WebRel2
when Raid gets updated.
Security - Notify those folks that want to know about this
that we will be fixing for SR 1.2 web release. If you have
any questions about this, please reply to me only.
Tad - fyi
Thanks
Gabe
-----Original Message-----
From: Internet Security Watch [mailto:info@is-watch.nl]
Sent: Tuesday, May 02, 2000 8:51 AM
To: Microsoft Security Response Center
Subject: RE: I have found a bug in your product " Internet
Information
server 4".
Hi Security Team,
This is my advisory. This is my first advisory that I have
made for
Microsoft.
I want to ask you that in the publicity or mailings around
this discovery to
your costumers the name of the founder, " Internet Security
watch" Dimitri
van de Giessen in The Netherlands, wil be named.
Your's faithfully,
Internet Security Watch
Dimitri van de Giessen
*====================*
Tested on:
Windows NT 4
Internet Information Server 4
*------------------------------------*
Description
*************
Internet Security Watch has discovered that path naming
stil is possible on
many site's. It's not an extention but it's something else.
Details
********
On a standard Information server install you can choose
where do you want to
install your wwwroot. The wwwroot has to be a secret so
that hackers can't
access the files you don't want to give autorition for. A
good example are
hosting providers.
Example's:
d:\inetpub\site1.com\index.htm.
d:\inetpub\site2.com\index.htm
d:\inetpub\site3.com\index.htm
If they see your path they maybe know to much.
We all know now .idc, .idq, .ida, .pl and .htx but all
these bugs are fixed
by Microsoft in all kind of service packs and patches.
We had to search in the wild for servers that are
vulnerable to this bug.
How you can find that kind servers?
It's very simple. Just find on the internet on fault.
Go to hotbot and find servers with the description: Smart
HTML interpreter
WEB RESULTS more than 1,000
One server in the wild is www.powerASP.com
This is a server that is patched on many way's. So this is
a good example.
(sorry for this example)
There is a directory with the name: _vti_bin
In this directory is a dll that do path naming.
A example:
www.powerasp.com/_vti_bin/shtml.dll/nosuch.htm
Cannot open "D:\Inetpub\virtuals\powerasp\nosuch.htm": no
such file or
folder.
And there it is. The path of powerasp. And as you can see.
Maybe it's a
hosting provider too.
Solution
*********
We are not aware of any fix if you use shtml.dll.
About Internet Security Watch
***********************************
We are a company that test the security of a company on
request.
www.is-watch.nl
info@is-watch.nl
-----------------------------------------
