Hi Shawn, > Question: What's the consensus for creating a method of the > dqsdtools object that provides the ability to create activex > objects in the same manner as CreateObject(sObject)? > > This has the potential to be a one-off security issue if the > user is convinced to install a malicious script or someone > gains direct access to the system. It's not directly a threat > in and of itself, however.
The problem is, any script on the client machine can use that method to create anything. I thought about limiting which objects can be created (XmlHttp is probably the most necessary one), but that doesn't really help. If someone finds an exploit in XmlHttp, and they know the user has DQSD installed, it's a no-brainer to exploit DQSD to instantiate the object. I think the security alerts are valid, the user has a right to know. But I do agree that they are a pain in the backside. I've been thinking - maybe we could place DQSD in its own Internet Explorer Zone - is that possible? Then people could configure IE to allow just what DQSD needs and for DQSD only. We could ship DQSD with a pre-configured zone that allows the necessary stuff. I don't know how the mapping between zone and application is done, though, it's probably URL-based, somehow... :-/ Cheers, Kim ------------------------------------------------------- SF email is sponsored by - The IT Product Guide Read honest & candid reviews on hundreds of IT Products from real users. Discover which products truly live up to the hype. Start reading now. http://productguide.itmanagersjournal.com/ _______________________________________________ To unsubscribe visit: https://lists.sourceforge.net/lists/listinfo/dqsd-users [EMAIL PROTECTED] http://sourceforge.net/mailarchive/forum.php?forum_id=8601
