Vulnerability Development mailing list archives

Previous By Date Next
Previous By Thread Next

Re: ie5 and .doc URLs

From: george_gales () NON HP COM (George Gales)
Date: Fri, 9 Jun 2000 07:33:47 -0600

The _vti_inf.html and _vti_bin/shtml.exe are related to Microsoft FrontPage,
which has server components for both Windows and Unix, including most Apache
incarnations.

As far as the POST method goes, it's just another way to submit form data
back to the host - in this case, it's how the browser is communicating with
shtml.exe.  Most forms nowadays submit data with the POST method, rather
than the GET method, to keep sensitive data out of the URL.

But this still doesn't explain what the heck IE5 was doing.... everything
below the first line seems superflous:
        xxx - "GET /~yoda/document.doc HTTP/1.0" 200 83456
        xxx - "OPTIONS /~yoda HTTP/1.0" 301 230
        xxx - "GET /_vti_inf.html HTTP/1.0" 200 3042
        xxx - "POST /_vti_bin/shtml.exe/_vti_rpc HTTP/1.0" 302 215
        xxx - "OPTIONS /~yoda/document.doc HTTP/1.0" 200 -
Perhaps IE5 is checking to see if the file is writable/uploadable, so it can
un-gray the Edit button?

Simon
-----Original Message-----
From: Olivier Thereaux [mailto:ot () ZOY ORG]
Sent: Friday, June 09, 2000 8:39 AM
To: VULN-DEV () SECURITYFOCUS COM
Subject: ie5 and .doc URLs

Hi everybody. I  do not know whether what I  have discovered has already
been  discussed  or  not,  but  it  seemed  pretty  interesting  to  me,
therefore, here I go:

[Uncle yoda's (yeah,  that's a stupid nick, I know  that already) story,
skip it if you lack time]

I  wanted to  share  a word  document  to people  on  a mailing-list.  I
put  it  in my  public_html,  and  posted the  path  to  the list  (i.e.
http://server/~yoda ).

Watching my apache's access.log, i could see that:

(xxx meaning "stupid windows host belonging to a stupid big consulting
company")

xxx - "GET /~yoda HTTP/1.0" 301 230
xxx - "GET /~yoda/ HTTP/1.0" 200 891
xxx - "GET /icons/blank.gif HTTP/1.0" 200 148
xxx - "GET /icons/back.gif HTTP/1.0" 200 216
xxx - "GET /icons/unknown.gif HTTP/1.0" 200 245
xxx - "GET /~yoda/document.doc HTTP/1.0" 200 83456
xxx - "OPTIONS /~yoda HTTP/1.0" 301 230
xxx - "GET /_vti_inf.html HTTP/1.0" 200 3042
xxx - "POST /_vti_bin/shtml.exe/_vti_rpc HTTP/1.0" 302 215
xxx - "OPTIONS /~yoda/document.doc HTTP/1.0" 200 -

So what?  I first supposed  someone on the list  wanted to play  with my
server, but why the hell did he  test an IIS script on an apache server?
Sounded weird.

So I asked for an explaination, what I got looked like "sorry, you know,
IE5 sucks..." aso.

Oh well, great.

[end of the tell-me-about-your-spectacular-life section]

So, it seems  IE5 has a rather mononeuronal behaviour  when dealing with
.doc URLs. I  am actually wondering whether the fact  that the shtml.exe
is  called with  the  POST  method could  allow  something  *bad* to  be
performed against  IE5. I  believe a  GET would have  been OK,  but what
about POST?

Any idea?

Thanks.

--
Olivier Thereaux
Doko ni datte, hito wa tsunagatteiru.
Previous By Date Next
Previous By Thread Next

Current thread: