[thelist] windows scripting host throws exception
Andrew Clover
and-evolt at doxdesk.com
Thu Mar 24 21:18:08 CST 2005
Volkan Özçilik wrote:
> <script>
> var shell = new ActiveXObject("WScript.Shell");
> </script>
> throws an "Automation Server can't create object" error.
Well, good! The Windows Shell object is highly security-sensitive and
should not be scriptable from a web page. Otherwise every web page would
be able to run arbitrary programs on the victim machine.
> When I change the extension of the file from ".html" to ".hta" and
> choose to run it, it works again without giving an error.
Yes, HTAs are local applications, not web pages, and have full
privileges to instantiate COM objects, even those not marked as being
"Safe for scripting" by web pages.
You *can* enable web pages to use objects like the Shell by setting the
security option 'Initialize and script ActiveX controls not marked as
safe' to 'Enabled', but this would be a Massively Bad Idea.
--
Andrew Clover
mailto:and at doxdesk.com
http://www.doxdesk.com/
More information about the thelist
mailing list