Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
Subject: shtml.exe reveal local path of IIS web directory
From: Frankie Zie (rootCNNS.NET)
Date: Sat May 06 2000 - 18:16:35 CDT

I found there is a security problem about shtml.exe that
allows anyone to explore the local path of IIS web server.
Tested on windows2000 server.shtml.exe is a program issued
with Forntpage Extention server for viewing smart HTML
file, If we install Frontpage on Windows2000 server, a
directory names "/_vti_bin" will be installed on web root
directory. Normally we can view HTML file
or SHTML file by the following method:
shtml.exe only accepts html¡¢shtml or htm files, if the
requested file does not exist, we will get the local path
of the web directory:

We get the following message:
Cannot open "d:\inetpub\wwwroot\postinfo1.html": no such
file or folder.

By the way, if we request file that does not exist and the
extention file name is not html, shtml or asp, such as,
We'll get different message:
Cannot run the FrontPage Server Extensions' Smart HTML
interpreter on this non-HTML page: "postinfo1.exe"