file extension HTR

File extension HTR description:

What are .HTR files?
.HTR files are scripts that allow Windows NT password services to be provided via IIS web servers. Windows NT users can use .HTR scripts to change their own passwords, and administrators can use them to perform a wide array of password administration functions. More information on this functionality is available in Knowledge Base article 184619
It's worth mentioning that, as a general practice, it's always a good idea to remove any unneeded script mappings, and .HTR files are no exception. As discussed in the IIS 4.0 Security Checklist, unless web-based password management features are needed, the script mapping for these files should be removed. If this has been done, none of the vulnerabilities described in this bulletin can affect the server.

What is the "Undelimited .HTR Request" vulnerability?
The first vulnerability is a denial of service vulnerability. All .HTR files accept certain parameters that are expected to be delimited in a particular way. This vulnerability exists because the search routine for the delimiter isn't properly bounded. Thus, if a malicious user provided a request without the expected delimiter, the ISAPI filter that processes it would search forever for the delimiter and never find it.
If a malicious user submitted a password change request that lacked an expected delimiter, ISM.DLL, the ISAPI extension that processes .HTR files, would search endlessly for it. This would prevent the server from servicing any more password change requests. In addition, the search would consume CPU time, so the overall response of the server might be slowed.