Hi, One example is used in at least two collaboration systems that I know of (one of which is produced by Microsoft). There is a "view in Explorer mode" option for a document library. From memory (I don't have an installation handy at home) this invokes some script on the client that invokes the WebDAV provider, which displays an explorer view of a document library. I'll have a look at this at work - I'm not 100% sure whether this entirely script based, or whether it invokes a HTTP request to which the server returns a response which invokes something on the client. But in either case, there is no user interaction. Cheers Ken -----Original Message----- From: thelist-bounces at lists.evolt.org [mailto:thelist-bounces at lists.evolt.org] On Behalf Of Hassan Schroeder Sent: Tuesday, 4 September 2007 11:20 PM To: thelist at lists.evolt.org Subject: Re: [thelist] Windows WebDAV problem with authentication On 9/3/07, Ken Schaefer <Ken at adopenstatic.com> wrote: > The issue, from what I remember, is that, say a script, running on the user's > machine, may invoke the WebDAV provider to connect to a remote resource. > Since the prompt will be in Explorer rather than IE, it may be that some users > are trusting enough to think that this is a LAN resource. "a script" -- are you talking about a script running in a browser, loaded from an arbitrary site? Do you have any references to how this exploit would actually work?