Bugtraq mailing list archives

Re: More Microsoft debri

From: mikehow () MICROSOFT COM (Michael Howard)
Date: Thu, 23 Apr 1998 11:40:23 -0700


i work on the iis team, not fp, but i'll take a stab. the shtml.exe file is
used by the frontpage editor when it wants to upload work from the editor to
the server. this communication is performed using http. the same fp server
extensions (as they are called) are used by visual interdev.

the extensions are not specific to microsoft servers, they are available on
various flavors of unix too. what's possibly happening is someone is using
fp or vid to work on your server. if the fp extensions are not there then
fp/vid will not be able to upload stuff to your server, but you will
probably see a log entry like that listed below from a tool trying to test
if the extensions are loaded on the server.

the link updating theory is interesting, but i don't think that fp tries to
call any executable to verify off-server links. but i'd need to check with
the fp guys... let me know if you want me to persue it...

cheers, mh
mikehow () microsoft com
program manager
iis security


-----Original Message-----
From: Lloyd Vancil [mailto:lev () APPLE COM]
Sent: Thursday, April 23, 1998 8:36 AM
To: BUGTRAQ () NETSPACE ORG
Subject: More Microsoft debri


Looking at my Netscape error log on my web servers recently I have found
several entries that look like this:

[08/Apr/1998:08:07:07] config: for host *blah* trying to POST
/_vti_bin/shtml.exe/_vti_rpc, handle-processed reports: no way to service
request for /_vti_bin/shtml.exe/_vti_rpc

Host name removed to protect the -apparently- innocent


The file being posted here is the M$ control file  for servers managed by
"FrontPage."

In the beginning I thought these were all attempts to "take over" my
server
by placing a hacked version of the software in my server.  Since we don't
run NT or 95, for obvious reasons, I was somewhat surprised by the
frequency of such brain dead attacks and even more surprised that it
might work.

Recently I have learned that the M$ software itself attempts to POST to
this file if you attempt to "verify off site links" on a server managed
by this software.

IN-other-words, every time you attempt to verify links to other servers
on your M$ managed
http server, that server will ASSUME that every one is a M$ managed
server and add yet another error entry to their error file.


I have notified M$   -as expected No response-



         lev@    _/_/_/_/  _/_/_/_/  _/_/_/_/  _/      _/_/_/
searchmaster@   _/    _/  _/    _/  _/    _/  _/      _/
               _/    _/  _/_/_/_/  _/_/_/_/  _/      _/_/_/    .com
              _/_/_/_/  _/        _/        _/      _/
             _/    _/  _/        _/        _/_/_/  _/_/_/

Current thread:

More Microsoft debri Lloyd Vancil (Apr 23)
- <Possible follow-ups>
- Re: More Microsoft debri Michael Howard (Apr 23)
  - Re: More Microsoft debri pedward () WEBCOM COM (Apr 23)
    - Re: More Microsoft debri James E. Robinson, III (Apr 23)
  - Another Frontpage Bug, with promiscuous ScriptAliases pedward () WEBCOM COM (Apr 23)
    - Flaw in HTTP-Authentication in O'Reilly Website Pro BarKode (Apr 23)
    - Re: Another Frontpage Bug, with promiscuous ScriptAliases Marc Slemko (Apr 23)
    - How to exploit AlephOne by JP of AntiOnline F0RMiCA (Apr 24)
    - Security Hole in Netscape Enterprise Server 3.0 Daragh Malone (Apr 24)
    - Re: Security Hole in Netscape Enterprise Server 3.0 Matthew Frederick (Apr 24)
    - How to exploit mudge by AlephOne by JP AntiOnline Dr. Mudge (Apr 24)
    - Re: How to exploit mudge by AlephOne by JP AntiOnline Aleph One (Apr 24)