At 01:46 28.02.02 +0200, LS wrote: >Hi all, Good morning Eli
>I was sent the following address: > >http://www.security7.ch.vu/ > >When entering, it claims that you are exposed and tracked and a lot of >information >is stored on your computer (doh..altho i dont keep names on it etc..). >What caught my attention is that the show you the contents of your root >directory >(c:\ for a windows machine...). Yes, it is normal. >What's alarming is that I don't see how this thing could've been done. I >dont allow >any shares, I dont allow any services, and unless it is an IE exploit of >some sort, >there is no other way to explain it. My firewall (TPF) handles all the >microsoft >network issues and only internal LAN can even see my nbt name etc... >this is weird. >Anybody know how this is done ? Yes, quite easy. It is a Javascript. Here I have coded a little example script for you. <FORM action="FILE://C:/" method="GET" target="_new"> <INPUT type="submit" value="Your root"> </FORM> But don''t be afraid. Javascript is a client-side language and the server don't get anything from this data. It is only a little IE feature, which makes a lot of users insecure. Very often they tell you to download a little tool, with which you can fix this bug. DON'T DO THAT. So, don't be afraid, it's allright. You can fix this feature with interdicting javascript in your browser's configuration. I hope this helps. If anything is wrong, which I told here, please notify me. >Regards, >Eli Greetings Dominik -- http://www.code-foundation.de 217.229.69.207 - - [14/Oct/2001:02:29:41 +0200] "GET /MSADC/root.exe?/c+dir Microsoft? Where do you want to surf today?
