Bugtraq mailing list archives
Re: IE 5.0 allows executing programs
From: Russ.Cooper () RC ON CA (Russ)
Date: Tue, 24 Aug 1999 18:53:57 -0400
Not to diminish the importance of Georgi's find, but you can prevent the exploit by changing the default, "Medium" security setting for the Internet Zone, to "High", or simply disabling "Script ActiveX controls marked safe for scripting". As opposed to disabling "Run ActiveX controls or plug-ins" or disabling scripting completely. Anyone following Richard Smith's finds in scriptable components from Compaq, HP, et al may already have done this...;-] Its also worth pointing that while Georgi's page nicely disclaims all liabilities, etc... but it exploits you before you get a chance to read that...;-] (Well, actually it exploits you if your systemroot is "\windows", otherwise it generates a script error). I'm pretty sure you could use the environment variable "%systemroot%" in place of any instances of a hard coded directory name. I think it would be interpreted correctly by the client. Cheers, Russ - NTBugtraq Editor
Current thread:
- Re: IE 5.0 allows executing programs STEVENS, Eric (Aug 23)
- Re: IE 5.0 allows executing programs Bronek Kozicki (Aug 26)
- <Possible follow-ups>
- Re: IE 5.0 allows executing programs Russ (Aug 24)
- Local DoS in FreeBSD L. Sassaman (Aug 26)
- Re: IE 5.0 allows executing programs Andrej Todosic (Aug 24)