Buffer Overflow and Path Exposure in HTimage
Reported April 14, 2000 by
Legion2000
VERSIONS EFFECTED
  • htimage.exe, as shipped with all versions of Microsoft FrontPage

DESCRIPTION

HTimage is a CERN-compatible image map dispatcher that ships with FrontPage 98. The utility exposes path information and contains a buffer overflow condition that may allow to be injected for execution on the server.

DEMONSTRATION

By sending the htimage.exe component an invalid set of parameters, such as http://server/scripts/htimage.exe/xunil?0,0 the component will reveal path information.

By sending the component a set of parameters prefixed with 741 characters ( /aaaa....aaaa?0,0 ) a buffer overflow condition will occur, where code inject may be possible by intentionally constructing a URL to contain executable code.

VENDOR RESPONSE

Microsoft is aware of this issue, however no response was known at the time of this writing.

CREDITS
Discovered and reported by
Legion2000