I actually named the file www.google.com.exe on win95b, IE5 and it executed causing an illegal operation... no prompting, whatsoever. On Fri, 10 Aug 2001, Fab Siciliano wrote: > How is this a vulnerability? > I am still prompted to whether I want to save the file to disk, or run it > from it's current location. The file just doesn't execute unless you want > it to. > > -Fab > > > At 03:34 PM 8/10/2001, Kevin Gagel wrote: > >You are incorrect. > >I am using win2k pro with sp2. > >I created a batch file and saved it to my desktop. It simply echoed > >hello. > >I renamed it to our web site with a .bat on the end. > >Then in IE addressbar I typed the www address of our web site and the > >batch file ran. > > > >"Rio Martin." wrote: > > > > > > I could confirm this, as long as you put executeable file in desktop, then > > > you will be able to open it. Extension .BAT wont run. Only .COM will run. > > > I also try to rename the file to www.somekind.org and it just showing "Open > > > With ..." window. > > > > > > Regards, > > > Rio Martin. > > > http://marsud.org/ > > > > > > _ > > > "Red Pantz" <redpantzat_private> wrote something like this: > > > > Hello all, > > > > I have found that if you name a file (can be any data file) a certain > > URL, > > > on your desktop, and then g0 to IE and type that url, the web site will not > > > come up, only the program that was named the certain.confusing? > > > > i.e. > > > > - copy autoexec.bat to ..\desktop > > > > - rename autoexec.bat to www.google.com (can be any url) > > > > - then go to IE and type "www.google.com" > > > > - your batch file is then ran > > > > a few issues i have w/ this is: > > > > - the prog will only run if it is on your desktop > > > > - if you type "http://www.google.com", for example > > > > it will not run(unless u name your file the same thing) > > > > - it has only been tested on Win2k SP1, Winnt 4.0 SP6a w/ IE 5.5 > > > > - it doesn't seem to have any privelage escalation (all progs are run as > > > the current user logged on) > > > > Just want a few others to try it and see wut they think > > > > thanx alot > > > > redpantz > > > > > > > >-- > >============================= > >Kevin W. Gagel > >Network Administrator > >College of New Caledonia > >gagelat_private > >(250)561-5848 loc. 448 > >============================= > > :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: > Fab Siciliano > Networks and Security > Tel - 215.712.6200 Ext. 312 > Optium, Inc. > "Break-Through Technology for Optical Transmission" > http://www.optiumcorp.com > ::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: > > > -- --- -sween | M | http://www.modelm.org --- "force feedback computing since 1984." <meta name="MSSmartTagsPreventParsing" content="TRUE">
This archive was generated by hypermail 2b30 : Fri Aug 10 2001 - 23:29:37 PDT