Buffer Overflow and Path Exposure in HTimage
Reported April 14, 2000 by Legion2000
HTimage is a CERN-compatible image map dispatcher that ships with FrontPage 98. The utility exposes path information and contains a buffer overflow condition that may allow to be injected for execution on the server.
DEMONSTRATIONBy sending the htimage.exe component an invalid set of parameters, such as http://server/scripts/htimage.exe/xunil?0,0 the component will reveal path information.
By sending the component a set of parameters prefixed with 741 characters ( /aaaa....aaaa?0,0 ) a buffer overflow condition will occur, where code inject may be possible by intentionally constructing a URL to contain executable code.
Microsoft is aware of this issue, however no response was known at the time of this writing.
Discovered and reported by Legion2000