Vulnerability Development mailing list archives

internet explorer view-source url

From: "John C. Hennessy" <johnh () charm net>
Date: Mon, 10 Jun 2002 05:43:19 -0700

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Perhaps its just me but I see this as a potential problem. From what I can
tell all versions of internet explorer 4 and above allow view-source urls.

view-source:http://www.news.com

This opens notepad or your default html editor with the source of the main
page for news.com or any other site or page you specify.
Here's another one.

view-source:file:///boot.ini

This opens notepad or your default html editor to the local boot.ini, if it
exists. This could potentialy be embeded into various html tags causing the
instance of notepad or other editor to be opened automaticlly. If the file
specified does not exit notepad will ask to create it. If someone isn't
paying attention they could hit enter and create the specified file.


John C. Hennessy
Information security analyst

-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 6.5.8 for non-commercial use <http://www.pgp.com>

iQA/AwUBPQSe5jfHYhhTZOYaEQImbwCfeXftE2boNT8Zt609MxX+V8kwoP0AnjeF
zvc36IlY5wxrclj6ok8yKsw1
=7apz
-----END PGP SIGNATURE-----

Current thread:

internet explorer view-source url John C. Hennessy (Jun 10)
- Re: internet explorer view-source url hellNbak (Jun 10)
  - Re: internet explorer view-source url Juan M. Courcoul (Jun 11)
    - Re: internet explorer view-source url Juan M. Courcoul (Jun 11)
    - RE: internet explorer view-source url aultl (Jun 12)
    - Re: internet explorer view-source url John C. Hennessy (Jun 12)
    - RE: internet explorer view-source url chris carey (Jun 12)
- Re: internet explorer view-source url Blue Boar (Jun 12)