Bugtraq: shtml.exe reveal local path of IIS web directory

Nmap Security Scanner

Intro

Ref Guide

Install Guide

Download

Changelog

Book

Docs
Security Lists

Bugtraq

Basics

More
Security Tools

More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

Bugtraq mailing list archives

shtml.exe reveal local path of IIS web directory

From: root () CNNS NET (Frankie Zie)
Date: Sat, 6 May 2000 23:16:35 -0000


I found there is a security problem about shtml.exe that 
allows anyone to explore the local path of IIS web server. 
Tested on windows2000 server.shtml.exe is a program issued 
with Forntpage Extention server for viewing smart HTML 
file, If we install Frontpage on Windows2000 server, a 
directory names "/_vti_bin" will be installed on web root 
directory. Normally we can view HTML file
or SHTML file by the following method:
http://210.145.32.98/_vti_bin/shtml.exe/postinfo.html
shtml.exe only accepts html¡¢shtml or htm files, if the 
requested file does not exist, we will get the local path 
of the web directory:

http://207.69.190.42/_vti_bin/shtml.exe/postinfo1.html

We get the following message:
Cannot open "d:\inetpub\wwwroot\postinfo1.html": no such 
file or folder.

By the way, if we request file that does not exist and the 
extention file name is not html, shtml or asp, such as
http://207.69.190.42/_vti_bin/shtml.exe/postinfo1.exe, 
We'll get different message:
Cannot run the FrontPage Server Extensions' Smart HTML 
interpreter on this non-HTML page: "postinfo1.exe"

By Date By Thread

Current thread:

shtml.exe reveal local path of IIS web directory Frankie Zie (May 06)
- Re: shtml.exe reveal local path of IIS web directory Dimitri van de Giessen (May 07)
- Re: shtml.exe reveal local path of IIS web directory Security (May 08)
- <Possible follow-ups>
- Re: shtml.exe reveal local path of IIS web directory SMILER (May 07)
  - Re: shtml.exe reveal local path of IIS web directory Matt Carothers (May 13)