Re: More Microsoft debri

From: Michael Howard (mikehowat_private)
Date: Thu Apr 23 1998 - 11:40:23 PDT

Next message: Jonathan A. Zdziarski: "Re: Buffer overflows in Solaris 2.6 ufsdump and ufsrestore"

Previous message: Seth McGann: "Buffer overflows in Solaris 2.6 ufsdump and ufsrestore"
Maybe in reply to: Lloyd Vancil: "More Microsoft debri"
Next in thread: pedwardat_private: "Re: More Microsoft debri"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

i work on the iis team, not fp, but i'll take a stab. the shtml.exe file is
used by the frontpage editor when it wants to upload work from the editor to
the server. this communication is performed using http. the same fp server
extensions (as they are called) are used by visual interdev.

the extensions are not specific to microsoft servers, they are available on
various flavors of unix too. what's possibly happening is someone is using
fp or vid to work on your server. if the fp extensions are not there then
fp/vid will not be able to upload stuff to your server, but you will
probably see a log entry like that listed below from a tool trying to test
if the extensions are loaded on the server.

the link updating theory is interesting, but i don't think that fp tries to
call any executable to verify off-server links. but i'd need to check with
the fp guys... let me know if you want me to persue it...

cheers, mh
mikehowat_private
program manager
iis security


-----Original Message-----
From: Lloyd Vancil [mailto:levat_private]
Sent: Thursday, April 23, 1998 8:36 AM
To: BUGTRAQat_private
Subject: More Microsoft debri


Looking at my Netscape error log on my web servers recently I have found
several entries that look like this:

[08/Apr/1998:08:07:07] config: for host *blah* trying to POST
/_vti_bin/shtml.exe/_vti_rpc, handle-processed reports: no way to service
request for /_vti_bin/shtml.exe/_vti_rpc

Host name removed to protect the -apparently- innocent


The file being posted here is the M$ control file  for servers managed by
"FrontPage."

In the beginning I thought these were all attempts to "take over" my
server
by placing a hacked version of the software in my server.  Since we don't
run NT or 95, for obvious reasons, I was somewhat surprised by the
frequency of such brain dead attacks and even more surprised that it
might work.

Recently I have learned that the M$ software itself attempts to POST to
this file if you attempt to "verify off site links" on a server managed
by this software.

IN-other-words, every time you attempt to verify links to other servers
on your M$ managed
http server, that server will ASSUME that every one is a M$ managed
server and add yet another error entry to their error file.


I have notified M$   -as expected No response-



         lev@    _/_/_/_/  _/_/_/_/  _/_/_/_/  _/      _/_/_/
searchmaster@   _/    _/  _/    _/  _/    _/  _/      _/
               _/    _/  _/_/_/_/  _/_/_/_/  _/      _/_/_/    .com
              _/_/_/_/  _/        _/        _/      _/
             _/    _/  _/        _/        _/_/_/  _/_/_/

Next message: Jonathan A. Zdziarski: "Re: Buffer overflows in Solaris 2.6 ufsdump and ufsrestore"
Previous message: Seth McGann: "Buffer overflows in Solaris 2.6 ufsdump and ufsrestore"
Maybe in reply to: Lloyd Vancil: "More Microsoft debri"
Next in thread: pedwardat_private: "Re: More Microsoft debri"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:51:01 PDT