FP98: Browsing to ASP Files Through Shtml.dll Displays ASP Code

Last reviewed: March 18, 1998
Article ID: Q182125
The information in this article applies to:
  • Microsoft FrontPage 98 for Windows

SYMPTOMS

Under certain conditions, an intruder knowledgeable in the architecture of the FrontPage Server Extensions may use his knowledge to gain access to the source code for Active Server Page files on an unprotected Web server. This is a security concern for those that have sensitive information in their ASP or Active Server Application (ASA) files.

RESOLUTION

To resolve this issue, you must install the updated version of the FrontPage Server Extensions. For more information about obtaining and installing the FrontPage Server Extensions, please see the following Microsoft Web site:

   http://www.microsoft.com/frontpage/wpp/license.htm

STATUS

Microsoft has confirmed this to be a problem in the Microsoft products listed at the beginning of this article. This problem was corrected in version 3.0.2.1330 of the FrontPage Server Extensions.

MORE INFORMATION

The FrontPage Server Extensions, version 3.0.2.1330, check for either of the following in a page before processing it:

   <%

If this value is found, Shtml.dll will not process any text until it comes across a %> value.

-or-

   <SCRIPT RUNAT="server"

If this value is found, Shtml.dll will not process any text until it comes across a </script> value.

Alternatively, you can specify what file extensions Shtml.dll will evaluate. To do this, add the following line in the Frontpg.ini file

   RunTimeFileExtensions=.ext1.ext2.

where .ext1 and .ext2 are the extensions you want Shtml.dll to evaluate. For example, if you want to process run-time FrontPage components on .htm and .html pages only, add the following line to the Frontpg.ini:

   RunTimeFileExtensions=.htm.html


Additional query words: 98 security asp iis
Keywords : fpext fpactive kbdta
Technology : internet
Version : WINDOWS:98
Platform : WINDOWS
Hardware : ALPHA x86
Issue type : kbbug
Solution Type : kbfix


THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY.

Last reviewed: March 18, 1998
© 1998 Microsoft Corporation. All rights reserved. Terms of Use.