[thelist] windows scripting host throws exception

[Andrew Clover]

Volkan Özçilik wrote:

> <script>
> var shell = new ActiveXObject("WScript.Shell");
> </script>

> throws an "Automation Server can't create object" error.

Well, good! The Windows Shell object is highly security-sensitive and 
should not be scriptable from a web page. Otherwise every web page would 
be able to run arbitrary programs on the victim machine.

> When I change the extension of the file from ".html" to ".hta" and
> choose to run it, it works again without giving an error.

Yes, HTAs are local applications, not web pages, and have full 
privileges to instantiate COM objects, even those not marked as being 
"Safe for scripting" by web pages.

You *can* enable web pages to use objects like the Shell by setting the 
security option 'Initialize and script ActiveX controls not marked as 
safe' to 'Enabled', but this would be a Massively Bad Idea.

-- 
Andrew Clover
mailto:and at doxdesk.com
http://www.doxdesk.com/