search menu icon-carat-right cmu-wordmark

CERT Coordination Center

Microsoft SmartHTML interpreter (shtml.dll) contains vulnerability

Vulnerability Note VU#723537

Original Release Date: 2002-10-02 | Last Revised: 2002-10-04


Microsoft's SmartHTML interpreter (shtml.dll) contains a remotely exploitable vulnerability.


shtml.dll is a component of FrontPage Server Extensions. FrontPage Server Extensions allow web developers to add or change content and to manage the web server.

Quoting from MS02-053, "The SmartHTML interpreter, shtml.dll, is part of FPSE, and supports certain types of dynamic web content. For instance, using SmartHTML, a web developer can build a web page that relies on FrontPage features, but not actually have those features embedded within the page until a user requests it."

A remotely exploitable vulnerability in shtml.dll can allow a remote attacker to disrupt the normal operation of the web server or execute arbitrary code with system privileges. For more details, please see the "Impact" section of this document.


There are varying impacts depending on the version of FrontPage Server Extensions running on the vulnerable host. If a user is running FrontPage Server Extensions 2000, an attacker can cause denial-of-service conditions on the web server (cause the web server to become unavailable). If a user is running FrontPage Server Extensions 2002, a remote attacker can execute arbitrary code with system privileges on the web server.


Apply a patch.

Vendor Information


Microsoft Corporation Affected

Updated:  October 02, 2002



Vendor Statement

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.


The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

CVSS Metrics

Group Score Vector



Maninder Bharadwaj of Digital Defense Services, part of Digital GlobalSoft Ltd., is credited with discovering this vulnerability.

This document was written by Ian A Finlay. It is based on information provided by Microsoft.

Other Information

CVE IDs: CVE-2002-0692
Severity Metric: 10.35
Date Public: 2002-09-25
Date First Published: 2002-10-02
Date Last Updated: 2002-10-04 20:04 UTC
Document Revision: 24

Sponsored by CISA.