Vulnerability Note VU#723537

Microsoft SmartHTML interpreter (shtml.dll) contains vulnerability

Original Release date: 02 Oct 2002 | Last revised: 04 Oct 2002


Microsoft's SmartHTML interpreter (shtml.dll) contains a remotely exploitable vulnerability.


shtml.dll is a component of FrontPage Server Extensions. FrontPage Server Extensions allow web developers to add or change content and to manage the web server.

Quoting from MS02-053, "The SmartHTML interpreter, shtml.dll, is part of FPSE, and supports certain types of dynamic web content. For instance, using SmartHTML, a web developer can build a web page that relies on FrontPage features, but not actually have those features embedded within the page until a user requests it."

A remotely exploitable vulnerability in shtml.dll can allow a remote attacker to disrupt the normal operation of the web server or execute arbitrary code with system privileges. For more details, please see the "Impact" section of this document.


There are varying impacts depending on the version of FrontPage Server Extensions running on the vulnerable host. If a user is running FrontPage Server Extensions 2000, an attacker can cause denial-of-service conditions on the web server (cause the web server to become unavailable). If a user is running FrontPage Server Extensions 2002, a remote attacker can execute arbitrary code with system privileges on the web server.


Apply a patch.

Systems Affected (Learn More)

VendorStatusDate NotifiedDate Updated
Microsoft CorporationAffected-02 Oct 2002
If you are a vendor and your product is affected, let us know.

CVSS Metrics (Learn More)

Group Score Vector
Base N/A N/A
Temporal N/A N/A
Environmental N/A N/A



Maninder Bharadwaj of Digital Defense Services, part of Digital GlobalSoft Ltd., is credited with discovering this vulnerability.

This document was written by Ian A Finlay. It is based on information provided by Microsoft.

Other Information

  • CVE IDs: CAN-2002-0692
  • Date Public: 25 Sep 2002
  • Date First Published: 02 Oct 2002
  • Date Last Updated: 04 Oct 2002
  • Severity Metric: 10.35
  • Document Revision: 24


If you have feedback, comments, or additional information about this vulnerability, please send us email.