Bugtraq mailing list archives

shtml.exe reveal local path of IIS web directory

From: root () CNNS NET (Frankie Zie)
Date: Sat, 6 May 2000 23:16:35 -0000


I found there is a security problem about shtml.exe that 
allows anyone to explore the local path of IIS web server. 
Tested on windows2000 server.shtml.exe is a program issued 
with Forntpage Extention server for viewing smart HTML 
file, If we install Frontpage on Windows2000 server, a 
directory names "/_vti_bin" will be installed on web root 
directory. Normally we can view HTML file
or SHTML file by the following method:
http://210.145.32.98/_vti_bin/shtml.exe/postinfo.html
shtml.exe only accepts html¡¢shtml or htm files, if the 
requested file does not exist, we will get the local path 
of the web directory:

http://207.69.190.42/_vti_bin/shtml.exe/postinfo1.html

We get the following message:
Cannot open "d:\inetpub\wwwroot\postinfo1.html": no such 
file or folder.

By the way, if we request file that does not exist and the 
extention file name is not html, shtml or asp, such as
http://207.69.190.42/_vti_bin/shtml.exe/postinfo1.exe, 
We'll get different message:
Cannot run the FrontPage Server Extensions' Smart HTML 
interpreter on this non-HTML page: "postinfo1.exe"

Current thread:

shtml.exe reveal local path of IIS web directory Frankie Zie (May 06)
- Re: shtml.exe reveal local path of IIS web directory Dimitri van de Giessen (May 07)
- Re: shtml.exe reveal local path of IIS web directory Security (May 08)
- <Possible follow-ups>
- Re: shtml.exe reveal local path of IIS web directory SMILER (May 07)
  - Re: shtml.exe reveal local path of IIS web directory Matt Carothers (May 13)