Vulnerability Development: RE: internet explorer view-source url

[aultl <aultl () comcast net>]

view-source:file://c:/winnt/notepad.exe

This will open notepad viewing notepad.exe on my system.

I am running Win2k Pro sp2 + SRP1 and IE Version 6.0.2600.0000 

Les


-----Original Message-----
From: Juan M. Courcoul [mailto:courcoul () campus qro itesm mx] 
Sent: Tuesday, June 11, 2002 6:44 PM
To: vuln-dev () securityfocus com
Subject: Re: internet explorer view-source url

Juan M. Courcoul wrote:

> hellNbak wrote
> > On Mon, 10 Jun 2002, John C. Hennessy wrote:
> >
> > > Perhaps its just me but I see this as a potential problem. From what
> > > I can
> > > tell all versions of internet explorer 4 and above allow view-source
> > > urls.
> > >
> > > view-source:http://www.news.com
> > I think it might be just you as doing a view-source:///boot.ini will 
> > show you the LOCAL boot.ini.  So, if I was a malicous web master, 
> > unless I can get some sort of code to execute this doesn't help me
all 
> > that much.
> Tried both formats for the view-source URLs with the following
results:
> Windows 2000 Professional SP2+all current patches
> Internet Explorer 5.50.4807.2300
>    view-source:http:... works, sort of. Page gets fetched, and
displayed
>                         using Notepad, not the main browser window.
>
>    view-source:///local file  does not work. Nothing is ever
displayed.

Several co-subscribers have kindly pointed out that the proper format
is:

    view-source:file://c:/temp/somefile.txt

This does work, sometimes. On my machine, this gets the file opened in 
the preferred application for that suffix (Notepad in this case) iff the

file is visible and you have appropiate permissions. Now if we could get

COMMAND.COM (Win9x) or its Win2k kindred to open an executable, THEN we 
could have some wicked fun, else like hellNback pointed out, it's just a

mildly interesting bit of IE trivia.

JMC