IIS 5.0/Windows 2000.
The /_vti_bin/shtml.dll vulnerability requires FrontPage server extensions (NOTE: FrontPage Service Release 1.2 fixes the bug).
1) .shtml files - specially designed URLs involving .shtml files may return hostile content.
2) /_vti_bin/shtml.dll - specially designed URLs may return hostile content (this issue is already fixed by Microsoft).
Both issues take advantage of an un-escaped error message returned by IIS or FrontPage Extensions.
1) The following URL:
The URL may be used in a link or a script.
2) The following URL:
1) Reading the documents on web servers inside a firewall (in the Intranet).
2) Stealing cookies (poses great danger to sensitive information).
3) For IE: if the user has put a web site in the "Trusted sites" zones, other browser attacks may be launched.