https://www.exploit-db.com/exploits/19897
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200005-031

FrontPage98Extensions是Microsoft的一个产品，包括PWS和IIS版本，可以让网页设计人员方便的直接用FrontPage直接连接到PWS或者IIS上进行网页创作。shtml.exe和shtml.dll是FrontPage服务器扩展的组件之一。shtml.exe和shtml.dll存在一个设计失误可导致服务器绝对路径泄露。1.1版本以下的FrontPage，当shtml.exe或shtml.dll收到请求处理一个不存在的文件时，会报告一个错误，在这个错误信息中会泄露服务器当前的绝对路径。攻击者由此可以得知Web服务器主目录安装的绝对路径。

source: http://www.securityfocus.com/bid/1174/info

The local path of a HTML, HTM, ASP, or SHTML file can be disclosed in Microsoft IIS 4.0/5.0 / Frontpage Server Extensions 1.1 and prior. Passing a path to a non-existent file to the shtml.exe or shtml.dll (depending on platform) program will display an error message stating that the file cannot be found accompanied by the full local path to the web root. For example, performing a request for http://target/_vti_bin/shtml.dll/non_existant_file.html will produce an error message stating "Cannot open "C:localpathnon_existant_file.html": no such file or folder"

http://target/_vti_bin/shtml.exe/non-existent-file.html
http://target/_vti_bin/shtml.exe/non-existent-file.htm
http://target/_vti_bin/shtml.exe/non-existent-file.shtml
http://target/_vti_bin/shtml.exe/non-existent-file.asp
http://target/_vti_bin/shtml.dll/non_existant_file.html

来源:BID
名称:1174
链接:http://www.securityfocus.com/bid/1174
来源:BUGTRAQ
名称:20000506shtml.exereveallocalpathofIISwebdirectory
链接:http://archives.neohapsis.com/archives/bugtraq/2000-05/0084.html
来源：NSFOCUS
名称：3378
链接：http://www.nsfocus.net/vulndb/3378