If FrontPage Server Extensions 1.2 is installed on an IIS server, IIS may
return content specified by a malicious third party back to a client through
the use of specially formed links.
If additional text is appended to a request for shtml.dll, the server
will generate an error including that text. If this text happens to be
client-side scripting, it will be executed in the client's browser and treated
as content originating from the server returning the error message (even though
the scripting may have originated at another site entirely). This becomes an issue
especially if the server specified in the hostile URL is a trusted site, as content
from that site may then be granted a higher privilege level than usual.
For example, consider a link off of a page from a hostile website:
<a href="http://TrustedServer/_vti_bin/shtml.dll/<script>Hostile Code Here</script>">http://TrustedServer</a>.
If a user clicks on the link specified above, the script will get passed in the http request from
the client to TrustedSite. TrustedSite will then return the script as part of the error message.
The client, receiving the error page containing the script, will then execute it and assign to it
all rights granted to content from TrustedSite.
Update (November 2, 2000): A new variant of this vulnerability has been discovered and is
addressed in the re-release of patches described in Microsoft Security Bulletin