Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 474
  • Last Modified:

What is SHTML.EXE?

I have a small web server running W2K / IIS 5 and a client of mine is moving his web site from another hosting company to my server.  This client wants to use FrontPage extensions, which I do have installed and have configured for his virtual domain.

Problem is, he has some order forms that he created that no longer work now that his site is on our server.  Looking at one of his order forms, I find this tag:

<form method="POST" action="_vti_bin/shtml.exe/order_form2.htm" enctype="x-www-form-encoded" webbot-action="--WEBBOT-SELF--">

His order form fails to function on my server.  There is no "_vti_bin" folder to start with, not to mention the SHTML.EXE file does not exist either.

I don't like the idea of a client executing an EXE file on my server in the first place.   It would appear from the _vti_bin path that this may be a Microsoft EXE that he is trying to use.  What is SHTML.EXE, and where does it come from, and can it be trusted?

  • 3
  • 2
1 Solution
Indeed that is a Frontpage extension. There was a problem with that filemaking you vulnerable to a remote Denial of Service attack that disables all FrontPage operations on a web site.See: http://msdn.microsoft.com/workshop/languages/fp/2000/winfpse.asp

I do not use Frontpage extensions but that folder and files sound similar to your CGI-BIN and its files, so I would assume it should have been installed when you installed extensions. If not then you need to create that folder, map it as a virtual directory in IIS, and then place that file into it and your form will run.

KapustaAuthor Commented:
If I use IIS's  Internet Services Manager, and open the "node" showing this user's virtual domain name, I can see a VIRTUAL _vti_bin folder pointing to the c:\ drive.   In that folder is a SHTML.DLL (not an .EXE).

I don't feel it is my responsibility to be debugging this client's web page, but at the same time, if access to this DLL is normal for using FrontPage extensions, then I don't have a problem with him accessing it.

Nonetheless, his current HTML does not work, and I have no idea what he needs to do to make it work.

Is the fact that he has coded SHTML.EXE (as opposed to SHTML.DLL) indicate that his previous web host was running IIS 4 instead of IIS 5?
The permissions for that virtual directory need to allow executables, check and see what it is currently set for. However you should only do that as follows:

Normally you would have only ONE _vti_bin folder for your whole server (and it needs to have executables as permissions), and every domain that wants Frontpage extensions has it mapped to their account as a virtual directory. This folder is isolated and users cannot upload their own files into it. If they want an executable placed in there then they have to submit it to your first so you can check it for safety before you place it into that folder. That way every account on your server is using the same SHTML.EXE for example, and it is one you know to be safe. I would not grant executables permissions to any user on the server where he can upload an executable and they execute it at will all on his own.
Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

KapustaAuthor Commented:
>> The permissions for that virtual directory need to
>>allow executables, check and see what it is currently
>> set for.

The "Home Directory" properties for this user's virtual domain is set for:

X Scripte Source Access
X Read
X Log visits

Execute permissions = "Scripts and Executables"

>>every domain that wants Frontpage extensions has it
>> mapped to their account as a virtual directory.

This client's domain DOES have a virtual link to c:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\WEB SERVER EXTENSIONS\40\_vti_bin

...in which I have a SHTML.EXE file.

This user's HTML order form, continues to fail,...displaying this as the error message result:

"The specified module could not be found."

To me, his "action" code seems invalid:


How can you append a HTM file at the end of a path that contains an EXE file?!  It seems invalid from a simple path standpoint.

KapustaAuthor Commented:
Here's the culprit:

Microsoft FrontPage Server Extensions:
   http://www.americangasproducts.com - Error #160005 Message: Bad response from SMTP host'ns1': 550 not local host pacbell.net, not a gateway .

The email address that the form was sending to violates our security settings on our SMTP server (which is on the same machine as IIS).  Only email sent from accounts that exist on our server are permitted to relay mail through our server.
PAQed, with points refunded (200)

E-E Admin

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

  • 3
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now