It could be related to the Microsoft IIS shtml.exe path disclosure vulnerability A search on the web for shtml.exe and vulnerability came up with the following. But it's also over a year old, so probably isn't too much of a problem with a correctly patched IIS server. The local path of HTML, HTM, ASP, and SHTML files can be exposed under Microsoft IIS 4.0 and 5.0. Requesting a non-existent file from shtml.exe will result in error message that discloses the full local path to the web root. Details Vulnerable systems: - Microsoft IIS 5.0 - Microsoft IIS 4.0 Exploit: A URL such as: http://www.example.com/_vti_bin/shtml.exe/non-existent-file.html http://www.example.com /_vti_bin/shtml.exe/non-existent-file.htm http://www.example.com /_vti_bin/shtml.exe/non-existent-file.shtml http://www.example.com /_vti_bin/shtml.exe/non-existent-file.asp Will reveal the real path of the web server to an attacker. This information can later be used in further attacks. URL: http://www.securiteam.com/windowsntfocus/5NP0J0U1FO.html At 15:00 25/09/01 -0800, Josh Burroughs wrote: >On Tue, 25 Sep 2001, Dale Lancaster wrote: >> However I am seeing new log entries that I haven't seen before: >> >> [Tue Sep 25 16:33:41 2001] [error] [client 199.26.11.171] File does not >> exist: /some/where/html/_vti_bin/shtml.exe/_vti_rpc >> >> It may just be some misconfiguration in our site, but the shtml.exe seems to >> point to something else since we don't use .exe stuff on our site. These >> are flooding my site, but we get lots of them over a day. > >That's what it looks like when someone using MS Frontpage tries to >connect/upload a web site to a server with frontpage extensions installed. >If the IP's connecting are from inside your org find the offending users >and hit them with a stick ;-> Or setup redirects to goatse.cx, I'm not >sure if the frontpage client will honor a redirect but it'd be funny as >hell that has the intended effect ;-> > > >-Josh > > >---------------------------------------------------------------------------- >This list is provided by the SecurityFocus ARIS analyzer service. >For more information on this free incident handling, management >and tracking system please see: http://aris.securityfocus.com -- Nicole Haywood Phone: +61 2 93515504 Network Security Officer Fax: +61 2 93515001 University of Sydney Email: N.Haywoodat_private ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Tue Sep 25 2001 - 22:53:34 PDT