Bugtraq mailing list archives
Re: shtml.exe reveal local path of IIS web directory
From: security () NEOSMART COM (Security)
Date: Mon, 8 May 2000 09:30:57 -0400
I tried to recreate your problem on my test Windows 2000 box running IIS and FrontPage 2000 Ext.s. However I did not get the error you speak of. Instead I get a different string, Cannot open "/Space/###.###.##/###/Server/Documents/blah.html": no such file or folder. where # stands for ummm a number. I do still of course get, Cannot run the FrontPage Server Extensions' Smart HTML interpreter on this non-HTML page: "blah.exe" when a non-existant filename without html, shtml, asp.. etc. is called on. What FrontPage ver. are you running on your server? I've heard of several problems with Frontpage 98 on Win2k. Not to mention the other hundred thousand problems with win2k. Greg ----- Original Message ----- From: Frankie Zie <root () CNNS NET> To: <BUGTRAQ () SECURITYFOCUS COM> Sent: Saturday, May 06, 2000 7:16 PM Subject: shtml.exe reveal local path of IIS web directory
I found there is a security problem about shtml.exe that allows anyone to explore the local path of IIS web server. Tested on windows2000 server.shtml.exe is a program issued with Forntpage Extention server for viewing smart HTML file, If we install Frontpage on Windows2000 server, a directory names "/_vti_bin" will be installed on web root directory. Normally we can view HTML file or SHTML file by the following method: http://210.145.32.98/_vti_bin/shtml.exe/postinfo.html shtml.exe only accepts html¡¢shtml or htm files, if the requested file does not exist, we will get the local path of the web directory: http://207.69.190.42/_vti_bin/shtml.exe/postinfo1.html We get the following message: Cannot open "d:\inetpub\wwwroot\postinfo1.html": no such file or folder. By the way, if we request file that does not exist and the extention file name is not html, shtml or asp, such as http://207.69.190.42/_vti_bin/shtml.exe/postinfo1.exe, We'll get different message: Cannot run the FrontPage Server Extensions' Smart HTML interpreter on this non-HTML page: "postinfo1.exe"
Current thread:
- shtml.exe reveal local path of IIS web directory Frankie Zie (May 06)
- Re: shtml.exe reveal local path of IIS web directory Dimitri van de Giessen (May 07)
- Re: shtml.exe reveal local path of IIS web directory Security (May 08)
- <Possible follow-ups>
- Re: shtml.exe reveal local path of IIS web directory SMILER (May 07)
- Re: shtml.exe reveal local path of IIS web directory Matt Carothers (May 13)