I found there is a security problem about shtml.exe that
allows anyone to explore the local path of IIS web server.
Tested on windows2000 server.shtml.exe is a program issued
with Forntpage Extention server for viewing smart HTML
file, If we install Frontpage on Windows2000 server, a
directory names "/_vti_bin" will be installed on web root
directory. Normally we can view HTML file
or SHTML file by the following method:
http://210.145.32.98/_vti_bin/shtml.exe/postinfo.html
shtml.exe only accepts html、shtml or htm files, if the
requested file does not exist, we will get the local path
of the web directory:
http://207.69.190.42/_vti_bin/shtml.exe/postinfo1.html
We get the following message:
Cannot open "d:\inetpub\wwwroot\postinfo1.html": no such
file or folder.
By the way, if we request file that does not exist and the
extention file name is not html, shtml or asp, such as
http://207.69.190.42/_vti_bin/shtml.exe/postinfo1.exe,
We'll get different message:
Cannot run the FrontPage Server Extensions' Smart HTML
interpreter on this non-HTML page: "postinfo1.exe"
|
|
|
|
<![CDATA[<p id="vvttv"></p>]]>
|
|
<![CDATA[<p id="vvttv"></p>]]> |
<![CDATA[<p id="vvttv"></p>]]>
<![CDATA[<pre id="vvttv"><cite id="vvttv"><progress id="vvttv"></progress></cite></pre>]]>
|
<![CDATA[<output id="vvttv"><dfn id="vvttv"><th id="vvttv"></th></dfn></output>]]>
<![CDATA[<p id="vvttv"></p>]]> |