Microsoft KB Archive/182125

= FP98: Browsing to ASP Files Through Shtml.dll Displays ASP Code =

Article ID: 182125

Article Last Modified on 2/6/2007

-

APPLIES TO


 * Microsoft FrontPage 98 Standard Edition

-



This article was previously published under Q182125



SYMPTOMS
Under certain conditions, an intruder knowledgeable in the architecture of the FrontPage Server Extensions may use his knowledge to gain access to the source code for Active Server Page files on an unprotected Web server. This is a security issue for those that have sensitive information in their ASP or Active Server Application (ASA) files.



RESOLUTION
To resolve this issue, you must install the updated version of the FrontPage Server Extensions. For more information about how to obtain and install the FrontPage Server Extensions, visit the following Microsoft Web site:

http://msdn2.microsoft.com/en-us/library/aa278914(office.10).aspx



STATUS
Microsoft has confirmed this to be a problem in the Microsoft products listed at the beginning of this article. This problem was corrected in version 3.0.2.1330 of the FrontPage Server Extensions.



MORE INFORMATION
The FrontPage Server Extensions, version 3.0.2.1330, looks for either of the following in a page before processing it:

<%

If this value is found, Shtml.dll will not process any text until it comes across a %> value.

-or-

<SCRIPT RUNAT="server" If this value is found, Shtml.dll will not process any text until it comes across a value.

Alternatively, you can specify what file extensions Shtml.dll will evaluate. To do this, add the following line in the Frontpg.ini file

RunTimeFileExtensions=.ext1.ext2.

where .ext1 and .ext2 are the extensions you want Shtml.dll to evaluate. For example, if you want to process run-time FrontPage components on .htm and .html pages only, add the following line to the Frontpg.ini:

RunTimeFileExtensions=.htm.html

Additional query words: 98 security asp iis

Keywords: kbbug kbfix KB182125

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.