Re: Scripting.FileSystemObject (was: IE4/Mac)

[John Dowdell]

At 11:45 PM 2/19/98, Aaron Salo wrote:

>I have no love for Uncle Bill, but in this case it IS a feature. By using the

>

>CreateObject("Scripting.FileSystemObject")

>

>method in VBScript I can reach out and pave any file in your machine that I

>know the name of... In the case of Windoze, a fun target is always

>autoexec.bat. Or config.sys. Or use your imagination....



Well, *that* certainly caught my attention...! ;)


When I searched DejaNews with term "Scripting.FileSystemObject AND

security" I turned up a post on Feb 4 from Eric Lippert of Microsoft

Scripting who said that the File System Object needs to be explicitly

installed; that it does not ship with IE4 both for security and size

reasons. (The "Windows Scripting Host" download apparently contains this

control.)


He also said you'd need to set the IE security preferences to their lowest

settings in order to have it run. This is usually only enabled for

serverside writes, rather than clientside work.


(In other words, there's a way to overwrite files within the browser, but

you'd have to download things and explicitly give permission in order to

let a page do so.)


Is this in line with the information you have yourself? If you do see a

danger here, do you have a link to documentation on it? No reply necessary,

but if you've got further word then I'd like to investigate, thanks in

advance.


jd




John Dowdell, Macromedia Tech Support, San Francisco CA US


Private email options: http://www.macromedia.com/support/priority.html

Search technotes: http://www.macromedia.com/support/search/

Search DIRECT-L: http://www.mcli.dist.maricopa.edu/director/digest/

Online savvy: http://search.yahoo.com/bin/search?p=netiquette

Entertainment on the web: http://shockrave.macromedia.com/




------------------------------------------------------------------------

To UNSUBSCRIBE send: unsubscribe flasher in the body of an

email to

list-managershocker [dot] com

.  Problems to:

ownershocker [dot] com

N.B. Email address must be the same as the one you used to subscribe.

For info on digest mode send: info flasher to

list-managershocker [dot] com