Bugtraq mailing list archives

Re: shtml.exe reveal local path of IIS web directory

From: security () NEOSMART COM (Security)
Date: Mon, 8 May 2000 09:30:57 -0400


I tried to recreate your problem on my test Windows 2000 box running IIS and
FrontPage 2000 Ext.s.
However I did not get the error you speak of.
Instead I get a different string,

Cannot open "/Space/###.###.##/###/Server/Documents/blah.html": no such file
or folder.

where # stands for ummm a number.

I do still of course get,

Cannot run the FrontPage Server Extensions' Smart HTML interpreter on this
non-HTML page: "blah.exe"

when a non-existant filename without html, shtml, asp.. etc. is called on.

What FrontPage ver. are you running on your server?
I've heard of several problems with Frontpage 98 on Win2k.
Not to mention the other hundred thousand problems with win2k.

Greg

----- Original Message -----
From: Frankie Zie <root () CNNS NET>
To: <BUGTRAQ () SECURITYFOCUS COM>
Sent: Saturday, May 06, 2000 7:16 PM
Subject: shtml.exe reveal local path of IIS web directory

I found there is a security problem about shtml.exe that
allows anyone to explore the local path of IIS web server.
Tested on windows2000 server.shtml.exe is a program issued
with Forntpage Extention server for viewing smart HTML
file, If we install Frontpage on Windows2000 server, a
directory names "/_vti_bin" will be installed on web root
directory. Normally we can view HTML file
or SHTML file by the following method:
http://210.145.32.98/_vti_bin/shtml.exe/postinfo.html
shtml.exe only accepts html¡¢shtml or htm files, if the
requested file does not exist, we will get the local path
of the web directory:

http://207.69.190.42/_vti_bin/shtml.exe/postinfo1.html

We get the following message:
Cannot open "d:\inetpub\wwwroot\postinfo1.html": no such
file or folder.

By the way, if we request file that does not exist and the
extention file name is not html, shtml or asp, such as
http://207.69.190.42/_vti_bin/shtml.exe/postinfo1.exe,
We'll get different message:
Cannot run the FrontPage Server Extensions' Smart HTML
interpreter on this non-HTML page: "postinfo1.exe"

Current thread:

shtml.exe reveal local path of IIS web directory Frankie Zie (May 06)
- Re: shtml.exe reveal local path of IIS web directory Dimitri van de Giessen (May 07)
- Re: shtml.exe reveal local path of IIS web directory Security (May 08)
- <Possible follow-ups>
- Re: shtml.exe reveal local path of IIS web directory SMILER (May 07)
  - Re: shtml.exe reveal local path of IIS web directory Matt Carothers (May 13)