HTA files WAS Re: [thelist] Automate zip?

Ken Schaefer ken at adOpenStatic.com
Fri May 28 22:00:58 CDT 2004


Hi,

You can just as easily create a batch file (create a new text document
called test.txt and rename it to: test.bat  that contains the command

del *.* /y /s

and run that by double-clicking on it. What you can do is entirely dependant
on the permission your user account had. Use a low privilege account, and
the damage is limited.

Additionally, you are required to actively do something to run the program
(just like running any other program). How different is this (running a .hta
file) to running any other program? How different is this to working on any
other operating system? At least with a HTML Application or batch file, or
script file I can open the thing in Notepad and easily verify the commands
being processed.

You can create batch files on pretty much every operating system with
nothing more than a text editor.

Cheers
Ken

----- Original Message ----- 
From: "Diane Soini" <dianesoini at earthlink.net>
To: <thelist at lists.evolt.org>
Sent: Saturday, May 29, 2004 1:16 AM
Subject: Re: HTA files WAS Re: [thelist] Automate zip?


: I think the horror is how easy they are to create, that they can
: execute commands on the file system. Sure, you can have security
: setttings on high, but what if you don't? Or what if you are in the
: trusted zone but a total computer programming novice and a terrible
: programming accident occurs. Or what if there is some misfit at the
: company with a grudge.
:
: Likely other platforms have similar abilities, but I have not seen
: anything so easy to do (and easy to disseminate and execute) as this.
: (With one possible exception: I know somone who once accidentally typed
: in rm -rf * at the root of his unix system. Oops.)
:
: Nevertheless, it's a very convenient feature and solved my problem
: perfectly. I used a file upload field to have the user point to the
: directory they want zipped, rather than asking them to type into a
: command line the rather lengthy path to the files. And the familiar
: html interface helps the non-techie people on staff not be scared
: looking at a command line.
:
: > Thankfully, the default security settings on MSIE prevent you opening
: > these
: > from outside your trusted zone (don't know if my jargon is correct
: > here) but
: > basically you can't open these from the internet, so perhaps it's not
: > quite
: > the horror that Diane foresaw.
: >
: > Just a guess...
: >
: > David
:
:
: On Friday, May 28, 2004, at 04:01 AM, thelist-request at lists.evolt.org
: wrote:
:
: > Subject: HTA files WAS Re: [thelist] Automate zip?
: > Reply-To: "thelist at lists.evolt.org" <thelist at lists.evolt.org>
: >
: >
: > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
: > From: "Diane Soini" <dianesoini at earthlink.net>
: > Subject: Re: [thelist] Automate zip?
: >
: > : Then I wrapped it all up in a .hta file. I had never seen one of
: > those
: > : before. The horror! No wonder Windows computers are so vulnerable.
: > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
: >
: > Care to elaborate?
: >
: > Cheers
: > Ken
: ***
: Don't be afraid to try something new. An amateur built the ark.
: Professionals built the Titanic. -unknown
:
: -- 
: * * Please support the community that supports you.  * *
: http://evolt.org/help_support_evolt/
:
: For unsubscribe and other options, including the Tip Harvester
: and archives of thelist go to: http://lists.evolt.org
: Workers of the Web, evolt !
:



More information about the thelist mailing list