OK, so how did they do that??!

[TheOriginalH]

I was telling a colleague about ihatemicrosoft.com - which used to throw up an infinate number of pop-ups until your pc crashed if you used IE to visit it..

That has now changed - it shows you the contents of your C: instead - how??

[anthony_irl]

That is mad! I assume it's through the use of an applet

[aspen]

No, java applets are secure.

Its through use of ActiveX, microsoft's insecure wannabe.

[RussellG]

That site is pathetic.

[Jeremy W.]

It's not really an ActiveX control at all. I know it looks like one, but it isn't what it looks like.

It's simply a call to the IFrame mechanism via ActiveX. What does the IFRame contain? file:///c:/ as the location.

Nothing is being communicated to anyone, nothing is happening, this is the exact same thing as me making an iframe and putting the location as file:///c:/.

[anthony_irl]

Originally posted by aspen
No, java applets are secure.

Its through use of ActiveX, microsoft's insecure wannabe.

I retract my previous statement.

[mmj]

I've seen this done before.

I do not have a URL as it was an unwanted popup and I closed it (although it did catch my attention for a while).

I found it to be really pathetic. Upon second inspection it was so obviously a windows explorer type view of file:///c:/

However, I can see how this could have fooled some people, through no fault of their own, and I just really feel sorry for the people who saw this and decided to download the scumware that the site was advertising, thinking it would protect their privacy.

Surely this is unfair trading and there must be a consumer complaints organisation that you can complain to in the US about this kind of thing. Would complaining to a US host likely get this kind of thing shut down?

[Technosailor]

Originally posted by mmj
Surely this is unfair trading and there must be a consumer complaints organisation that you can complain to in the US about this kind of thing. Would complaining to a US host likely get this kind of thing shut down?

I find this absolutely absurd. Sure it's a stupid business practice - unethical in every way - but come on, they have a right to put that up. There is no slander or libel. There is no extortion. No crime is being committed except the crime of unethical business practices.

I don't agree with this, but I don't think we need to stoop to censorship either...

Sketch

[TheOriginalH]

Originally posted by mmj

I found it to be really pathetic. Upon second inspection it was so obviously a windows explorer type view of file:///c:/

Which in itself can be harmfull. Yesterday I tried viewing the site using our Citrix service (thin client). Sure enough, it displayed the contents of the C: of the Citrix box (which I should be unable to see). Not only that, but clicking on the icons inside actually allowed me to open and edit files. I could not delete or paste new files (Win security finally kicked in), but the fact I was in there at all proves that this is NOT a harmless flaw....

[Jeremy W.]

If it is possible from a website, it is possible using file:///c:/ as your address, meaning it is possible using Windows Explorer. They all inherit the same permissions

[TheOriginalH]

Not so. Windows explorer does not run (or is not set up to run) on the system. Typing file:///c:/ into Internet Explorer is also blocked. Clicking the icons on that page opens it in IE.

Active x has been switched off by our IT team.

[goober]

Right, considering that Internet explorer is a Shell of windows explorer (it can view windows folders, etc.) it can be used like windows explorer. Thus, when a link points to C:, IE merely opens up that users folder and displays the contents to just that user.

However, what TheOriginalH mentioned about his Citrix box was unnerving. Have you reported that bug, H?

'Till next time..

[TheOriginalH]

I think the IT team were flustered enough to make a call