Discusion board

J

Jeff

When I try to reply to a posted message on my discusion board I set up. My
anti virus blocks it and says there was an intrusion HTTP IIS SHTML Request.
can anyone tell me how to fix this...
 
J

Jeff

Tom
Thanks for your reply
Everyone that I have talked to that tries to reply gets the same message...

Tom [Pepper] Willett said:
Change the rules in your antivirus program.
--
Tom [Pepper] Willett
Microsoft MVP - FrontPage
FrontPage Support: http://www.frontpagemvps.com/
----------
Jeff said:
When I try to reply to a posted message on my discusion board I set up. My
anti virus blocks it and says there was an intrusion HTTP IIS SHTML
Request.
can anyone tell me how to fix this...
 
J

Jeffrey Hopkins

Hi,

I have encountered the same problem with my forums that I use for my
internet-based college physics and astronomy classes.

I have been unable to reply to any student posts - all I can do is make
original posts (as many but not all of the students have to do now as well).

I still don't know what to do - any help would be appreciated.




Here's what I have found out thus far... When it first started acting up -
about a week ago, Norton claimed it had detected a worm with the following
message

=============================

Details:
Attempted Intrusion "HTTP IIS SHTML Request" from your machine against
discuss.midlandstech.edu(xxx.x.xxx.xx) was detected and blocked.
Intruder: EMACHINE(xxx.xxx.x.xxx)(1152).
Risk Level: Medium.
Protocol: TCP.
Atacked IP: discuss.midlandstech.edu(xxx.x.xxx.xx).
Attacked Port: http(80).


=============================


So I contacted our webmaster at the college and they did a scan and indeed
found a worm, but they have not figured out why I can no longer reply to
posts, so I looked up the "HTTP IIS SHTML Request" and found this
information from the Symantec security of attack signatures
(http://securityresponse.symantec.com/avcenter/attack_sigs/) for "HTTP IIS
SHTML Request"
(http://securityresponse.symantec.com/avcenter/attack_sigs/s20350.html).




HTTP IIS SHTML Request
Severity: Medium

This attack could pose a moderate security threat. It does not require
immediate action.



Description

This signatures detects requests made to the shtml.exe or shtml.dll files
on the webserver.



Additional Information

There are two different vulnerabilities associated with these files. The
first being an information disclosure issue and the second is a denial
service. Below is an explanation of both vulnerabilities.

The first vulnerability deals with the local path of a HTML, HTM, ASP, or
SHTML file can be disclosed in Microsoft IIS 4.0/5.0 / Frontpage Server
Extensions 1.1 and prior. Passing a path to a non-existent file to the
shtml.exe or shtml.dll (depending on platform) program will display an error
message stating that the file cannot be found accompanied by the full local
path to the web root. For example, performing a request for
http://target/_vti_bin/shtml.dll/non_existant_file.html will produce an
error message stating "Cannot open "C:\localpath\non_existant_file.html": no
such file or folder"

The second vulnerability makes it possible to remotely crash a system
running Microsoft FrontPage Server Extensions by conducting a URL request
for a MS-DOS device through shtml.exe. For example, the following URL
requests will crash FrontPage Server Extensions:
http://target/_vti_bin/shtml.exe/comX.htm (X being one of 1, 2 ,3, or 4;
the device must exist on the target machine)
http://target/_vti_bin/shtml.exe/prn.htm
http://target/_vti_bin/shtml.exe/aux.htm

The device name must have an appended extension in order for the exploit
to work. In addition to the HTM extension, ASP will work as well. Restarting
IIS or rebooting the system is required in order to regain normal
functionality.

Testing has shown that it may require a constant stream of these requests
in order to render the server ineffective.

Affected:

Microsoft FrontPage 2000 Server Extensions SR 1.0
Microsoft FrontPage Server Extensions Module for Apache 3.0.4
Microsoft IIS 4.0, 5.0


Response

Both of these vulnerabilities have been corrected in Microsoft FrontPage
Server Extensions SR1.2

This update can be downloaded from the following locations:

For Microsoft FrontPage 2000 Server Extensions SR 1.0:
Microsoft Patch FrontPage Server Extensions SR2

For Microsoft FrontPage Server Extensions Module for Apache 3.0.4:
Microsoft Patch FrontPage Server Extensions SR2

For Microsoft IIS 4.0:
Microsoft Patch FrontPage Server Extensions SR2

For Microsoft IIS 5.0:
Microsoft Patch FrontPage Server Extensions SR2

Possible False Positives

There are no known false positives associated with this signature.

Additional References

a.. SecurityFocus BID: 1174

b.. CAN-2000-0413

--

Thanks,
Jeffrey


Beneath South Carolina skies and clouds
 
J

Jeffrey Hopkins

Hi Pepper,
I have the same issue and explained what I have encountered below in this
thread - but if this is the answer "Change the rules in your antivirus
program.", how or what changes do I need to make to Norton - for example -
to stop this?

--

Thanks,
Jeffrey


Beneath South Carolina skies and clouds
-------------------------------------------------------------
--------------------- ----------------------
-------------------------------------------------------------
Tom [Pepper] Willett said:
Change the rules in your antivirus program.
--
Tom [Pepper] Willett
Microsoft MVP - FrontPage
FrontPage Support: http://www.frontpagemvps.com/
----------
Jeff said:
When I try to reply to a posted message on my discusion board I set up.
My
anti virus blocks it and says there was an intrusion HTTP IIS SHTML
Request.
can anyone tell me how to fix this...
 
V

vogelp

Change the rules, how? I have this problem on one of two machines, both
set up with the same A/V package and rules. I cannot reply to threads
or hit Next or Previous but I can create a new thread on the problem
machine.
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Top