Bugtraq mailing list archives
Re: shtml.exe reveal local path of IIS web directory
From: info () IS-WATCH NL (Dimitri van de Giessen)
Date: Mon, 8 May 2000 04:59:53 -0000
This are responses of microsoft security team: Hi Dmitri - Wanted to get back in touch and let you know what we've found. As you reported, the error message does provide information about the location of the files on the server. However, by itself this isn't a security vulnerability -- that is, it wouldn't allow someone to compromise data on the server, prevent legitimate users from being serviced, or usurp administrative control over the machine. However, it could be useful as a reconnaissance tool, and we will definitely fix it. We're going to be delivering a service release via the web (OSR 1.2) very soon, and we have already made the needed changes. Thanks again for reporting this issue to us, and we look forward to working with you again in the future. Best regards, Secure () microsoft com From: Gabe Bratton Sent: Thursday, May 04, 2000 9:44 AM To: Microsoft Security Response Center; Rohit Wad Cc: Tom Gallagher; Arthur Tanaka; Tad Coburn Subject: RE: SHTML.DLL Reveals Location of Web Files [MSRC 217] I spoke with Rohit this morning, and we will fix this for SR1.2. Tom - Rohit will make a private release today. When you get a chance, please port O10 bug 11197 to the Office 9 raid database (if you have not already) and assign it to Rohit. The fix by for this bug will be SR2 and eventually WebRel2 when Raid gets updated. Security - Notify those folks that want to know about this that we will be fixing for SR 1.2 web release. If you have any questions about this, please reply to me only. Tad - fyi Thanks Gabe -----Original Message----- From: Internet Security Watch [mailto:info () is-watch nl] Sent: Tuesday, May 02, 2000 8:51 AM To: Microsoft Security Response Center Subject: RE: I have found a bug in your product " Internet Information server 4". Hi Security Team, This is my advisory. This is my first advisory that I have made for Microsoft. I want to ask you that in the publicity or mailings around this discovery to your costumers the name of the founder, " Internet Security watch" Dimitri van de Giessen in The Netherlands, wil be named. Your's faithfully, Internet Security Watch Dimitri van de Giessen *====================* Tested on: Windows NT 4 Internet Information Server 4 *------------------------------------* Description ************* Internet Security Watch has discovered that path naming stil is possible on many site's. It's not an extention but it's something else. Details ******** On a standard Information server install you can choose where do you want to install your wwwroot. The wwwroot has to be a secret so that hackers can't access the files you don't want to give autorition for. A good example are hosting providers. Example's: d:\inetpub\site1.com\index.htm. d:\inetpub\site2.com\index.htm d:\inetpub\site3.com\index.htm If they see your path they maybe know to much. We all know now .idc, .idq, .ida, .pl and .htx but all these bugs are fixed by Microsoft in all kind of service packs and patches. We had to search in the wild for servers that are vulnerable to this bug. How you can find that kind servers? It's very simple. Just find on the internet on fault. Go to hotbot and find servers with the description: Smart HTML interpreter WEB RESULTS more than 1,000 One server in the wild is www.powerASP.com This is a server that is patched on many way's. So this is a good example. (sorry for this example) There is a directory with the name: _vti_bin In this directory is a dll that do path naming. A example: www.powerasp.com/_vti_bin/shtml.dll/nosuch.htm Cannot open "D:\Inetpub\virtuals\powerasp\nosuch.htm": no such file or folder. And there it is. The path of powerasp. And as you can see. Maybe it's a hosting provider too. Solution ********* We are not aware of any fix if you use shtml.dll. About Internet Security Watch *********************************** We are a company that test the security of a company on request. www.is-watch.nl info () is-watch nl -----------------------------------------
Current thread:
- shtml.exe reveal local path of IIS web directory Frankie Zie (May 06)
- Re: shtml.exe reveal local path of IIS web directory Dimitri van de Giessen (May 07)
- Re: shtml.exe reveal local path of IIS web directory Security (May 08)
- <Possible follow-ups>
- Re: shtml.exe reveal local path of IIS web directory SMILER (May 07)
- Re: shtml.exe reveal local path of IIS web directory Matt Carothers (May 13)