[thelist] windows scripting host throws exception [SOLVED]

VOLKAN ÖZÇELİK volkan.ozcelik at gmail.com
Fri Mar 25 01:21:45 CST 2005


>You *can* enable web pages to use objects like the Shell by setting the
>security option 'Initialize and script ActiveX controls not marked as
>safe' to 'Enabled', but this would be a Massively Bad Idea.

I know that it's highly insecure. I wonder why IE does not create the
object even it I give it full access by setting the initialize and
script stuff to "prompt"?

and yes when I set it to "enabled" it works. but when set to prompt it
does not. strange. And fully enabling is nothing but madness.

Thank you for your help.




On Fri, 25 Mar 2005 12:18:08 +0900, Andrew Clover <and-evolt at doxdesk.com> wrote:
> Volkan Özçilik wrote:
> 
> > <script>
> > var shell = new ActiveXObject("WScript.Shell");
> > </script>
> 
> > throws an "Automation Server can't create object" error.
> 
> Well, good! The Windows Shell object is highly security-sensitive and
> should not be scriptable from a web page. Otherwise every web page would
> be able to run arbitrary programs on the victim machine.
> 
> > When I change the extension of the file from ".html" to ".hta" and
> > choose to run it, it works again without giving an error.
> 
> Yes, HTAs are local applications, not web pages, and have full
> privileges to instantiate COM objects, even those not marked as being
> "Safe for scripting" by web pages.
> 
> You *can* enable web pages to use objects like the Shell by setting the
> security option 'Initialize and script ActiveX controls not marked as
> safe' to 'Enabled', but this would be a Massively Bad Idea.
> 
> --
> Andrew Clover
> mailto:and at doxdesk.com
> http://www.doxdesk.com/
> --
> 
> * * Please support the community that supports you.  * *
> http://evolt.org/help_support_evolt/
> 
> For unsubscribe and other options, including the Tip Harvester
> and archives of thelist go to: http://lists.evolt.org
> Workers of the Web, evolt !
>


More information about the thelist mailing list