Re: IE can read local files

• To: NTBUGTRAQLISTSERV.NTBUGTRAQ.COM
• Subject: Re: IE can read local files
• From: Tobin Titus <adminVIPERLINK.NET>
• Date: Tue, 8 Sep 1998 11:46:51 -0000
• In-Reply-To: <199809081531.LAA02334ch4.viperlink.net>
• Reply-To: Tobin Titus <adminVIPERLINK.NET>
• Sender: Windows NT BugTraq Mailing List <NTBUGTRAQLISTSERV.NTBUGTRAQ.COM>

Why is this coming out like it's a big shock?
With scripting on a server side, using the same scripting engines as IE,
you can read files, change files, delete files, create files, make folders,
delete folders, rename folders, tell you what drives are on your computer,
and even tell you the serial numbers of those drives if you don't set
permissions properly.
Why would it be any more surprising that you can do the same thing on
the client side?  Personally, I think it's going to get worse before it gets
better.
We all know about the ASP data streams here, but you'd be surprised
who doesn't know about this yet.  How about one of the largest
distributors of computer products in the nation.  How about our
universities?  What about online auctions? These are all open.  The
problem lies in the demand for dynamic content is higher than the
demand for security.  Microsoft allows us to add ActiveX technology
to client side pages in IE. That's great, we get good content out of that,
but what about the security? How many people do you think are going
to care when they scope a page that says "unsigned ActiveX" or, "this
page contains active content that may be dangerous."  In my own
opinion, there is going to be a small amount of users hitting "cancel".

We need to petition for higher security in our products, especially the
most commonly used products: mail, browsers, news etc.

Tobin Titus
System Administrator
adminviperlink.net

• Prev by Date: IE can read local files
• Next by Date: Re: Security reduction FTP service on NT4
• Prev by thread: IE can read local files
• Next by thread: Re: IE can read local files
• Index(es):
  • Date
  • Thread