Bugtraq mailing list archives

Re: shtml.exe reveal local path of IIS web directory

From: info () IS-WATCH NL (Dimitri van de Giessen)
Date: Mon, 8 May 2000 04:59:53 -0000


This are responses of microsoft security team:

Hi Dmitri - 

Wanted to get back in touch and let you know what we've 
found.  As you reported, the error message does provide 
information about the location of the files on the server.  
However, by itself this isn't a security vulnerability -- 
that is, it wouldn't allow someone to compromise data on 
the server, prevent legitimate users from being serviced, 
or usurp administrative control over the machine.  However, 
it could be useful as a reconnaissance tool, and we will 
definitely fix it.  We're going to be delivering a service 
release via the web (OSR 1.2) very soon, and we have 
already made the needed changes.  

Thanks again for reporting this issue to us, and we look 
forward to working with you again in the future.  Best 
regards,

Secure () microsoft com 

From: Gabe Bratton
Sent: Thursday, May 04, 2000 9:44 AM
To: Microsoft Security Response Center; Rohit Wad
Cc: Tom Gallagher; Arthur Tanaka; Tad Coburn
Subject: RE: SHTML.DLL Reveals Location of Web Files [MSRC 
217]

I spoke with Rohit this morning, and we will fix this for 
SR1.2. 
Tom - Rohit will make a private release today. When you get 
a chance, please port O10 bug 11197 to the Office 9 raid 
database (if you have not already) and assign it to Rohit. 
The fix by for this bug will be SR2 and eventually WebRel2 
when Raid gets updated. 

Security - Notify those folks that want to know about this 
that we will be fixing for SR 1.2 web release. If you have 
any questions about this, please reply to me only. 

Tad - fyi 
Thanks 

Gabe 

-----Original Message----- 
From: Internet Security Watch [mailto:info () is-watch nl] 
Sent: Tuesday, May 02, 2000 8:51 AM 
To: Microsoft Security Response Center 
Subject: RE: I have found a bug in your product " Internet 
Information 
server 4". 

Hi Security Team, 

This is my advisory. This is my first advisory that I have 
made for 
Microsoft. 

I want to ask you that in the publicity or mailings around 
this discovery to 
your costumers the name of the founder, " Internet Security 
watch" Dimitri 
van de Giessen in The Netherlands, wil be named. 

Your's faithfully, 

Internet Security Watch 

Dimitri van de Giessen 

*====================* 

 Tested on: 
 Windows NT 4 
 Internet Information Server 4 

*------------------------------------* 

    Description 
    ************* 
Internet Security Watch has discovered that path naming 
stil is possible on 
many site's. It's not an extention but it's something else. 

    Details 
    ******** 
On a standard Information server install you can choose 
where do you want to 
install your wwwroot. The wwwroot has to be a secret so 
that hackers can't 
access the files you don't want to give autorition for. A 
good example are 
hosting providers. 
Example's: 
d:\inetpub\site1.com\index.htm. 
d:\inetpub\site2.com\index.htm 
d:\inetpub\site3.com\index.htm 

If they see your path they maybe know to much. 

We all know now .idc, .idq, .ida, .pl and .htx but all 
these bugs are fixed 
by Microsoft in all kind of service packs and patches. 

We had to search in the wild for servers that are 
vulnerable to this bug. 
How you can find that kind servers? 
It's very simple. Just find on the internet on fault. 
Go to hotbot and find servers with the description: Smart 
HTML interpreter 
WEB RESULTS   more than 1,000 
One server in the wild is www.powerASP.com 
This is a server that is patched on many way's. So this is 
a good example. 
(sorry for this example) 

There is a directory with the name: _vti_bin 
In this directory is a dll that do path naming. 

A example: 
www.powerasp.com/_vti_bin/shtml.dll/nosuch.htm 

Cannot open "D:\Inetpub\virtuals\powerasp\nosuch.htm": no 
such file or 
folder. 

And there it is. The path of powerasp. And as you can see. 
Maybe it's a 
hosting provider too. 

    Solution 
    ********* 
We are not aware of any fix if you use shtml.dll. 

    About Internet Security Watch 
    *********************************** 
We are a company that test the security of a company on 
request. 
www.is-watch.nl 
info () is-watch nl 

-----------------------------------------

Current thread:

shtml.exe reveal local path of IIS web directory Frankie Zie (May 06)
- Re: shtml.exe reveal local path of IIS web directory Dimitri van de Giessen (May 07)
- Re: shtml.exe reveal local path of IIS web directory Security (May 08)
- <Possible follow-ups>
- Re: shtml.exe reveal local path of IIS web directory SMILER (May 07)
  - Re: shtml.exe reveal local path of IIS web directory Matt Carothers (May 13)