Vulnerability Note VU#723537
Microsoft SmartHTML interpreter (shtml.dll) contains vulnerability
Overview
Microsoft's SmartHTML interpreter (shtml.dll) contains a remotely exploitable vulnerability.
Description
shtml.dll is a component of FrontPage Server Extensions. FrontPage Server Extensions allow web developers to add or change content and to manage the web server. Quoting from MS02-053, "The SmartHTML interpreter, shtml.dll, is part of FPSE, and supports certain types of dynamic web content. For instance, using SmartHTML, a web developer can build a web page that relies on FrontPage features, but not actually have those features embedded within the page until a user requests it." |
Impact
There are varying impacts depending on the version of FrontPage Server Extensions running on the vulnerable host. If a user is running FrontPage Server Extensions 2000, an attacker can cause denial-of-service conditions on the web server (cause the web server to become unavailable). If a user is running FrontPage Server Extensions 2002, a remote attacker can execute arbitrary code with system privileges on the web server. |
Solution
Apply a patch. |
Systems Affected (Learn More)
| Vendor | Status | Date Notified | Date Updated |
|---|---|---|---|
| Microsoft Corporation | Affected | - | 02 Oct 2002 |
CVSS Metrics (Learn More)
| Group | Score | Vector |
|---|---|---|
| Base | N/A | N/A |
| Temporal | N/A | N/A |
| Environmental | N/A | N/A |
References
- http://www.microsoft.com/technet/security/bulletin/MS02-053.asp
- http://lists.netsys.com/pipermail/full-disclosure/2002-September/002252.html
- http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnservext/html/fpovrw.asp
Credit
Maninder Bharadwaj of Digital Defense Services, part of Digital GlobalSoft Ltd., is credited with discovering this vulnerability.
This document was written by Ian A Finlay. It is based on information provided by Microsoft.
Other Information
- CVE IDs: CAN-2002-0692
- Date Public: 25 Sep 2002
- Date First Published: 02 Oct 2002
- Date Last Updated: 04 Oct 2002
- Severity Metric: 10.35
- Document Revision: 24
Feedback
If you have feedback, comments, or additional information about this vulnerability, please send us email.
View Notes By
Report a Vulnerability
Please use the Vulnerability Reporting Form to report a vulnerability. Alternatively, you can send us email. Be sure to read our vulnerability disclosure policy.