Vulnerability Development mailing list archives
RE: internet explorer view-source url
From: chris carey <security () sublimespot com>
Date: 12 Jun 2002 14:00:52 -0700
view-source:file://c:/winnt/driver cache/i386/driver.cab or any other large file, kills the system for a while. (Page File and Hibernation files are locked by the system) while this this alone may not be such a big deal,.. you could use javascript to pop up n instances of that link, multiplying the effect n times -Chris Carey On Wed, 2002-06-12 at 09:34, aultl wrote:
view-source:file://c:/winnt/notepad.exe This will open notepad viewing notepad.exe on my system. I am running Win2k Pro sp2 + SRP1 and IE Version 6.0.2600.0000 Les -----Original Message----- From: Juan M. Courcoul [mailto:courcoul () campus qro itesm mx] Sent: Tuesday, June 11, 2002 6:44 PM To: vuln-dev () securityfocus com Subject: Re: internet explorer view-source url Juan M. Courcoul wrote:hellNbak wroteOn Mon, 10 Jun 2002, John C. Hennessy wrote:Perhaps its just me but I see this as a potential problem. From whatI can tell all versions of internet explorer 4 and above allow view-sourceurls. view-source:http://www.news.comI think it might be just you as doing a view-source:///boot.ini will show you the LOCAL boot.ini. So, if I was a malicous web master, unless I can get some sort of code to execute this doesn't help meallthat much.Tried both formats for the view-source URLs with the followingresults:Windows 2000 Professional SP2+all current patches Internet Explorer 5.50.4807.2300 view-source:http:... works, sort of. Page gets fetched, anddisplayedusing Notepad, not the main browser window. view-source:///local file does not work. Nothing is everdisplayed. Several co-subscribers have kindly pointed out that the proper format is: view-source:file://c:/temp/somefile.txt This does work, sometimes. On my machine, this gets the file opened in the preferred application for that suffix (Notepad in this case) iff the file is visible and you have appropiate permissions. Now if we could get COMMAND.COM (Win9x) or its Win2k kindred to open an executable, THEN we could have some wicked fun, else like hellNback pointed out, it's just a mildly interesting bit of IE trivia. JMC
Current thread:
- internet explorer view-source url John C. Hennessy (Jun 10)
- Re: internet explorer view-source url hellNbak (Jun 10)
- Re: internet explorer view-source url Juan M. Courcoul (Jun 11)
- Re: internet explorer view-source url Juan M. Courcoul (Jun 11)
- RE: internet explorer view-source url aultl (Jun 12)
- Re: internet explorer view-source url John C. Hennessy (Jun 12)
- RE: internet explorer view-source url chris carey (Jun 12)
- Re: internet explorer view-source url Juan M. Courcoul (Jun 11)
- Re: internet explorer view-source url hellNbak (Jun 10)