Bugtraq mailing list archives
Re: More Microsoft debri
From: mikehow () MICROSOFT COM (Michael Howard)
Date: Thu, 23 Apr 1998 11:40:23 -0700
i work on the iis team, not fp, but i'll take a stab. the shtml.exe file is used by the frontpage editor when it wants to upload work from the editor to the server. this communication is performed using http. the same fp server extensions (as they are called) are used by visual interdev. the extensions are not specific to microsoft servers, they are available on various flavors of unix too. what's possibly happening is someone is using fp or vid to work on your server. if the fp extensions are not there then fp/vid will not be able to upload stuff to your server, but you will probably see a log entry like that listed below from a tool trying to test if the extensions are loaded on the server. the link updating theory is interesting, but i don't think that fp tries to call any executable to verify off-server links. but i'd need to check with the fp guys... let me know if you want me to persue it... cheers, mh mikehow () microsoft com program manager iis security -----Original Message----- From: Lloyd Vancil [mailto:lev () APPLE COM] Sent: Thursday, April 23, 1998 8:36 AM To: BUGTRAQ () NETSPACE ORG Subject: More Microsoft debri Looking at my Netscape error log on my web servers recently I have found several entries that look like this: [08/Apr/1998:08:07:07] config: for host *blah* trying to POST /_vti_bin/shtml.exe/_vti_rpc, handle-processed reports: no way to service request for /_vti_bin/shtml.exe/_vti_rpc Host name removed to protect the -apparently- innocent The file being posted here is the M$ control file for servers managed by "FrontPage." In the beginning I thought these were all attempts to "take over" my server by placing a hacked version of the software in my server. Since we don't run NT or 95, for obvious reasons, I was somewhat surprised by the frequency of such brain dead attacks and even more surprised that it might work. Recently I have learned that the M$ software itself attempts to POST to this file if you attempt to "verify off site links" on a server managed by this software. IN-other-words, every time you attempt to verify links to other servers on your M$ managed http server, that server will ASSUME that every one is a M$ managed server and add yet another error entry to their error file. I have notified M$ -as expected No response- lev@ _/_/_/_/ _/_/_/_/ _/_/_/_/ _/ _/_/_/ searchmaster@ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/_/_/_/ _/_/_/_/ _/ _/_/_/ .com _/_/_/_/ _/ _/ _/ _/ _/ _/ _/ _/ _/_/_/ _/_/_/
Current thread:
- More Microsoft debri Lloyd Vancil (Apr 23)
- <Possible follow-ups>
- Re: More Microsoft debri Michael Howard (Apr 23)
- Re: More Microsoft debri pedward () WEBCOM COM (Apr 23)
- Re: More Microsoft debri James E. Robinson, III (Apr 23)
- Another Frontpage Bug, with promiscuous ScriptAliases pedward () WEBCOM COM (Apr 23)
- Flaw in HTTP-Authentication in O'Reilly Website Pro BarKode (Apr 23)
- Re: Another Frontpage Bug, with promiscuous ScriptAliases Marc Slemko (Apr 23)
- How to exploit AlephOne by JP of AntiOnline F0RMiCA (Apr 24)
- Security Hole in Netscape Enterprise Server 3.0 Daragh Malone (Apr 24)
- Re: Security Hole in Netscape Enterprise Server 3.0 Matthew Frederick (Apr 24)
- How to exploit mudge by AlephOne by JP AntiOnline Dr. Mudge (Apr 24)
- Re: How to exploit mudge by AlephOne by JP AntiOnline Aleph One (Apr 24)
- Re: More Microsoft debri pedward () WEBCOM COM (Apr 23)