Title: MS Frontpage htimage.exe File Existence Disclosure Vulnerability
Severity: MODERATE
Description:
htimage.exe can be used to determine if a specified path and filename exists on the target host or not. The specified path must be on the same logical drive as the web content.
Any file can be specified as an image map in the URL. htimage.exe will then look for that path in the webroot, and then the root of the logical drive containing the webroot. If htimage.exe finds the file, it will generate an error about the file not being a valid image map, along the lines of:
"No URL returned, not even default set for the picture." (for a .txt or .bat file)
or:
"Syntax error at line 1 Bad field name, expecting 'default', 'rectangle', 'circle' or 'polygon' (got an alphanumeric string)."
Although this in itself is a small issue, it could be used as part of OS fingerprinting or root folder discovery.
Requesting a nonexistent file will return an error message disclosing the actual path of the web root.
Eg.
Error calling HTImage:
Picture config file not found, tried the following:
* C:\Inetpub\wwwroot\path\non-existent-file.html
* /path/non-existent-file.html
Affected Products:
- Microsoft FrontPage 1.1.0
- Microsoft FrontPage 97 0.0.0
- Microsoft FrontPage 98 0.0.0
- Microsoft FrontPage 98 Server Extensions for IIS 0.0.0
- Microsoft FrontPage 98 Server Extensions for PWS 0.0.0
- Microsoft FrontPage Personal WebServer 1.0.0
- Microsoft NT Option Pack for NT 4.0 0.0.0
- Microsoft Personal Web Server 2.0.0
Juniper Networks provides this content via a wide variety of sources and production methods. If notified of errors or omissions in the content of this page, Juniper Networks, at its discretion, will modify or remove the page or leave the content as is, depending on various factors including but not limited to the reputation and authority of the party providing the notification. Please use the contact information displayed elsewhere on this page to report any errors or omissions regarding the content on this page.
