Vulnerability Development mailing list archives
Re: ie5 and .doc URLs
From: george_gales () NON HP COM (George Gales)
Date: Fri, 9 Jun 2000 07:33:47 -0600
The _vti_inf.html and _vti_bin/shtml.exe are related to Microsoft FrontPage, which has server components for both Windows and Unix, including most Apache incarnations. As far as the POST method goes, it's just another way to submit form data back to the host - in this case, it's how the browser is communicating with shtml.exe. Most forms nowadays submit data with the POST method, rather than the GET method, to keep sensitive data out of the URL. But this still doesn't explain what the heck IE5 was doing.... everything below the first line seems superflous: xxx - "GET /~yoda/document.doc HTTP/1.0" 200 83456 xxx - "OPTIONS /~yoda HTTP/1.0" 301 230 xxx - "GET /_vti_inf.html HTTP/1.0" 200 3042 xxx - "POST /_vti_bin/shtml.exe/_vti_rpc HTTP/1.0" 302 215 xxx - "OPTIONS /~yoda/document.doc HTTP/1.0" 200 - Perhaps IE5 is checking to see if the file is writable/uploadable, so it can un-gray the Edit button? Simon -----Original Message----- From: Olivier Thereaux [mailto:ot () ZOY ORG] Sent: Friday, June 09, 2000 8:39 AM To: VULN-DEV () SECURITYFOCUS COM Subject: ie5 and .doc URLs Hi everybody. I do not know whether what I have discovered has already been discussed or not, but it seemed pretty interesting to me, therefore, here I go: [Uncle yoda's (yeah, that's a stupid nick, I know that already) story, skip it if you lack time] I wanted to share a word document to people on a mailing-list. I put it in my public_html, and posted the path to the list (i.e. http://server/~yoda ). Watching my apache's access.log, i could see that: (xxx meaning "stupid windows host belonging to a stupid big consulting company") xxx - "GET /~yoda HTTP/1.0" 301 230 xxx - "GET /~yoda/ HTTP/1.0" 200 891 xxx - "GET /icons/blank.gif HTTP/1.0" 200 148 xxx - "GET /icons/back.gif HTTP/1.0" 200 216 xxx - "GET /icons/unknown.gif HTTP/1.0" 200 245 xxx - "GET /~yoda/document.doc HTTP/1.0" 200 83456 xxx - "OPTIONS /~yoda HTTP/1.0" 301 230 xxx - "GET /_vti_inf.html HTTP/1.0" 200 3042 xxx - "POST /_vti_bin/shtml.exe/_vti_rpc HTTP/1.0" 302 215 xxx - "OPTIONS /~yoda/document.doc HTTP/1.0" 200 - So what? I first supposed someone on the list wanted to play with my server, but why the hell did he test an IIS script on an apache server? Sounded weird. So I asked for an explaination, what I got looked like "sorry, you know, IE5 sucks..." aso. Oh well, great. [end of the tell-me-about-your-spectacular-life section] So, it seems IE5 has a rather mononeuronal behaviour when dealing with .doc URLs. I am actually wondering whether the fact that the shtml.exe is called with the POST method could allow something *bad* to be performed against IE5. I believe a GET would have been OK, but what about POST? Any idea? Thanks. -- Olivier Thereaux Doko ni datte, hito wa tsunagatteiru.
Current thread:
- Re: ie5 and .doc URLs George Gales (Jun 09)