漏洞类别:CGI漏洞等级: 
漏洞信息
"shtml.exe" is a component of the Frontpage package. Microsoft IIS Versions 4.0 and 5.0 contain a vulnerability that may disclose the local path of HTML, HTM, ASP and SHTML files. Requesting a non-existent file from shtml.dll will result in an error message that discloses the full local path of the Web Root. This vulnerability can be exploited by performing a request such as:
http://www.example.org/_vti_bin/shtml.exe/non_existant_file.htm
http://www.example.org/_vti_bin/shtml.exe/non_existant_file.html
http://www.example.org/_vti_bin/shtml.exe/non_existant_file.shtml
http://www.example.org/_vti_bin/shtml.exe/non_existant_file.asp
The following versions are vulnerable:
- Microsoft FrontPage 2000 Server Extensions Version 1.1 and prior (for FrontPage 2000.0, Windows 95/98/NT 4.0/NT 2000)
- Microsoft FrontPage Server Extensions Module for Apache Version 3.0.43
- Microsoft IIS Version 5.0 (for Windows NT, 2000)
- Microsoft IIS Version 4.0 (for Windows NT 4.0, BackOffice 4.0/4.5)
Frontpage Extensions are also vulnerable to cross-scripting attacks. For more information, see Cert Advisory CA-2000-02. Basically, it's possible to use specially designed URLs to return user-specified content to the browser.
漏洞危害
Unauthorized user can retrieve the real path of the web server. This information can later be used in further attacks.
解决方案
This issue was fixed in Frontpage Server Extensions 2000 (for Windows 95/98/NT 4.0/NT 2000) Version 1.2. You can download a patch from Microsoft's Web site.
Virtual Patches:
Trend Micro Virtual Patching
Virtual Patch #1000784: MS IIS Frontpage Server Extensions Path Disclosure
0day
文章评论