COMMAND

    shtml.exe

SYSTEMS AFFECTED

    FrontPage Server Extensions; Win32 systems

PROBLEM

    Frankie Zie found following.  He found there is a security problem
    about shtml.exe that  allows anyone to  explore the local  path of
    IIS web server.

    This  was  tested  on  windows2000  server.shtml.exe  is a program
    issued  with  Forntpage  Extention  server  for viewing smart HTML
    file, If we install  Frontpage on Windows2000 server,  a directory
    names "/_vti_bin" will be installed on web root directory.

    Normally we  can view  HTML file  or SHTML  file by  the following
    method:      http://210.145.32.98/_vti_bin/shtml.exe/postinfo.html
    shtml.exe only accepts html¡¢shtml or htm files, if the  requested
    file  does  not  exist,  we  will  get  the  local path of the web
    directory:

        http://207.69.190.42/_vti_bin/shtml.exe/postinfo1.html

    We get the following message:

        Cannot open "d:\inetpub\wwwroot\postinfo1.html": no such file or folder.

    By  the  way,  if  we  request  file  that  does not exist and the
    extention file name is not html, shtml or asp, such as

        http://207.69.190.42/_vti_bin/shtml.exe/postinfo1.exe

    We'll get different message:

        Cannot run the FrontPage Server Extensions' Smart HTML interpreter on this non-HTML page: "postinfo1.exe"

    'Smiler' tested this in WIN NT  4.0 and it also reveal local  path
    of iis Web Directory.

    Microsoft's  frontpage  module  for   Apache  displays  the   same
    behavior:

        http://www.whoever.com/_vti_bin/shtml.exe/whatever.html

    returns

        'Cannot open "/document/root/whatever.html": no such file or folder.'

    While

        http://www.whoever.com/_vti_bin/shtml.exe/whatever.something

    returns

        'Cannot run the FrontPage Server Extensions' Smart HTML interpreter on this non-HTML page: "whatever.something"'

    Tested on mod_frontpage/3.0.4.3

SOLUTION

    By  itself  this  isn't  a  security  vulnerability  - that is, it
    wouldn't allow someone to  compromise data on the  server, prevent
    legitimate  users  from  being  serviced,  or usurp administrative
    control  over  the  machine.   However,  it  could  be useful as a
    reconnaissance tool.

    Microsoft  knows  the  problems  and  they're  fixing  it in Front
    Page 2000 Server Extensions 1.2