[14842] in bugtraq
Re: shtml.exe reveal local path of IIS web directory
daemon@ATHENA.MIT.EDU (SMILER)
Mon May 8 16:27:22 2000
Mime-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: 8bit
Message-Id: <002001bfb883$3b3949e0$70bcfea9@f3t2j0>
Date: Mon, 8 May 2000 01:20:35 +0100
Reply-To: SMILER <smiler@VXD.ORG>
From: SMILER <smiler@VXD.ORG>
X-To: bugtraq@securityfocus.com
To: BUGTRAQ@SECURITYFOCUS.COM
I tested this in WIN NT 4.0 and it also reveal local path of iis Web
Directory.
-----Original Message-----
From: Frankie Zie <root@CNNS.NET>
To: BUGTRAQ@SECURITYFOCUS.COM <BUGTRAQ@SECURITYFOCUS.COM>
Date: Domingo, 7 de Maio de 2000 22:08
Subject: shtml.exe reveal local path of IIS web directory
>I found there is a security problem about shtml.exe that
>allows anyone to explore the local path of IIS web server.
>Tested on windows2000 server.shtml.exe is a program issued
>with Forntpage Extention server for viewing smart HTML
>file, If we install Frontpage on Windows2000 server, a
>directory names "/_vti_bin" will be installed on web root
>directory. Normally we can view HTML file
>or SHTML file by the following method:
>http://210.145.32.98/_vti_bin/shtml.exe/postinfo.html
>shtml.exe only accepts html!"shtml or htm files, if the
>requested file does not exist, we will get the local path
>of the web directory:
>
>http://207.69.190.42/_vti_bin/shtml.exe/postinfo1.html
>
>We get the following message:
>Cannot open "d:\inetpub\wwwroot\postinfo1.html": no such
>file or folder.
>
>By the way, if we request file that does not exist and the
>extention file name is not html, shtml or asp, such as
>http://207.69.190.42/_vti_bin/shtml.exe/postinfo1.exe,
>We'll get different message:
>Cannot run the FrontPage Server Extensions' Smart HTML
>interpreter on this non-HTML page: "postinfo1.exe"
>
