Re: Newbie Question: Windows Explorer

From: Duane Arnold (darnold92@Insightbb.com)
Date: 10/05/02 

From: "Duane Arnold" <darnold92@Insightbb.com>
Date: Fri, 04 Oct 2002 22:19:28 GMT

ASP needs VBScript and a browser to run and blocking with an IDS or AV
system would stop script from running.

Duane :)

"Tony Whitmore" <tony_whitmore@nospamhotmail.com> wrote in message
news:Vkin9.2484$Fv2.238660@wards...
> Hi Duane,
>
> We haven't been in the same thread for a while - nice to hear from you!
The
> security features you're thinking of (denying EVERYBODY) are part of the
> NTFS file system, and so aren't present on Win9x based machines.
>
> The security scare trick (the "I can see your hard disk on my webpage"
> trick) I was thinking about was discussed on this thread:
> http://tinyurl.com/1sdw although the site hosting it has disappeared I'm
> sure that others out there are still using it. Astalavista.com had it at
one
> point. A few posts in this group have discussed it, including smug
comments
> from Linux users for whom it didn't work ;-)
>
> I don't know much about ASP but would blocking explorer.exe prevent the
> potentially abusive drive controls from working? That was the issue in the
> original post.
>
> Cheers,
>
> Tony
>
>
> "Duane Arnold" <darnold92@Insightbb.com> wrote in message
> news:_gfn9.38832$Pz.33051@rwcrnsc51.ops.asp.att.net...
> > There is a File Object in Active Server Page (Web programming) will
allow
> > one do to many things on a client machine. Such as list a drive's
> directory
> > or determine what drive letters a machine has, etc. etc. So it's a
little
> > more then "c:\" in the URL Box but you're close in the fact that
Security
> > Sites play the little security issue game.
> >
> > It's been a long time since I have been on a Win9.x machine but doesn't
it
> > have Security on drive or directory you can control to deny or allow
> access
> > like NT, 2K and XP? One could delete or control the EVERYBODY account to
> > prevent things such as the OP is worried about.
> >
> > I do this on my FTP directory site so you should be able to prevent this
> > from happening on any drive or directory. Don't know about 9x series
> > anymore.
> >
> > Duane :)
> >
> > "Tony Whitmore" <tony_whitmore@nospamhotmail.com> wrote in message
> > news:UCen9.2435$Fv2.236341@wards...
> > > Any firewall should highlight unknown applications asking for
permission
> > and
> > > so it is more a case of whether you want to allow it access or not.
> Under
> > > Win98 explorer.exe and iexplore.exe are essentially the same
application
> > > (although they are seperate executables) and work in much the same
way.
> > This
> > > allows you to type a URL into the Explorer address bar and access a
> > website,
> > > and enter "c:\" into the Internet Explorer address bar and access your
> > hard
> > > disk contents. The one application changes into the other when you try
> it.
> > > If you enter a URL into Explorer and it wants to access the internet
to
> > > fetch it, that seems sensible. After all, how else can it get the
remote
> > > webpages? If you want to stop explorer.exe from accessing the
internet,
> > > don't enter URLs into the address bar, and set your firewall to block
> > > outgoing connection attempts.
> > >
> > > However, if you allow explorer.exe to access the net then that doesn't
> > mean
> > > it is acting as a server, allowing your information to be served to
the
> > > internet. If you are worried about this you could configure your
> firewall
> > to
> > > allow explorer.exe outgoing rights only. Then it could fetch webpages
> > quite
> > > happily. I suspect that some of the people who have talked about the
> > > "potential abuse" aspect of firewalling explorer.exe have been tricked
> by
> > a
> > > website that has used IEs features to show an Explorer window in their
> > > website, with the contents of your hard disk. Although it is worrying,
> it
> > IS
> > > just a trick. There are several "security" sites out there which use
it.
> > >
> > > Cheers,
> > >
> > > Tony Whitmore
> > >
> > >
> > > "Larry G" <thelarry_g3@yahoo.com> wrote in message
> > > news:anjddb$el9ac$1@ID-37509.news.dfncis.de...
> > > > I've tried two firewalls so far: ZoneAlarm and Outpost. On both of
> > these,
> > > > whenever I connect to a webpage *Windows Explorer*, the file manager
> > > > (explorer.exe) asks for permission to access the 'net whenever I
wish
> to
> > > > access a webpage. If I deny it permission, I cannot access
websites.
> > > >
> > > > I've been told that many people deny *Windows Explorer*, the file
> > manager,
> > > > access to the 'net with firewalls because if you give them
permission,
> > > this
> > > > opens up your whole hard drive to potential abuse. Others seem
> > nonchalant
> > > > about this question, and matter of fact that explorer.exe should
> access
> > > the
> > > > 'net because it is part of MS integrated browser with the OS.
> > > >
> > > > So, which is it? Is it normal for *Windows Explorer* to request
> > > permission
> > > > to access the 'net when going to websites? I would have thought it
> > would
> > > be
> > > > Internet Explorer (iexplore.exe) that would request the permission.
> > Some
> > > > people say that they can deny *Windows Explorer* access to the 'net,
> and
> > > > still go to websites on IE. However, I cannot. I've checked for
> > trojans,
> > > > and my system is reported clean. Am I still adequately protected
with
> a
> > > > firewall if I grant it permission?
> > > >
> > > > Thanks for any clarifications on this subject. Am I still protected
> by
> > > the
> > > > firewall, if I grant *Windows Explorer* access to the internet in
> order
> > to
> > > > go to websites on IE.
> > > >
> > > > Running:
> > > > Windows 98SE
> > > > Compaq 5834
> > > >
> > > > Larry
> > > >
> > >
> > >
> >
> >
>
>

Relevant Pages

  • RE: Pen-Test and Social Engineering
    ... "see...your network security is penetrable". ... Audit your website security with Acunetix Web Vulnerability Scanner: ... Hackers are concentrating their efforts on attacking applications on your ... Up to 75% of cyber attacks are launched on shopping carts, forms, ...
    (Pen-Test)
  • RE: Pen-Test and Social Engineering
    ... "see...your network security is penetrable". ... Audit your website security with Acunetix Web Vulnerability Scanner: ... Hackers are concentrating their efforts on attacking applications on your ... Up to 75% of cyber attacks are launched on shopping carts, forms, ...
    (Pen-Test)
  • RE: Nortel Contivity 2600
    ... simplicity and security is a combination of things that have been suggested. ... Put the inside interface in a DMZ of its own with an IPS device between ... > Audit your website security with Acunetix Web Vulnerability Scanner: ... Up to 75% of cyber attacks are launched on shopping ...
    (Pen-Test)
  • RE: Windows XP SP2 and Security Tools
    ... issues that were in SP2. ... Windows XP SP2 and Security Tools ... > Audit your website security with Acunetix Web Vulnerability Scanner: ... Up to 75% of cyber attacks are ...
    (Pen-Test)
  • RE: User Education (was: New article on SecurityFocus)
    ... Those responsible for the education ... > security relates to their job - about the only time they run into it is ... > Audit your website security with Acunetix Web Vulnerability Scanner: ... Cross site scripting and other web attacks before hackers do! ...
    (Pen-Test)