Hello and welcome to our community! Is this your first visit?
Register
Enjoy an ad free experience by logging in. Not a member yet? Register.
Results 1 to 2 of 2
  1. #1
    Regular Coder
    Join Date
    May 2002
    Location
    Helsinki, Finland
    Posts
    231
    Thanks
    0
    Thanked 1 Time in 1 Post

    Thumbs down Attention : XP sec. hole (Help Center)

    There has been a very serious flaw discovered in, ironcally, the "Help Center" included in Windows XP.

    To try it out, do the following, but, BE WARNED, it will delete ANYTHING you put in the "test" directory. (I should point out, sub-directories aren't deleted, and user permissions may have an effect)

    Create a folder called "test" at the root directory of your hard drive. (i.e: c:\test\) Put some files in it (junk, files you don't care about losing - create some new text documents or something).

    Then, copy and paste the "link" below into your address bar and hit enter.

    Wait a few seconds, the "Help Center" should pop up.. then, once you've closed the help center, check that directory again. You should notice the files in the directory you created are gone..

    This should be frightening to any Windows XP user, because anyone could link it on any webpage.. definatly a terrible flaw in the Windows Help Center included in XP.
    http://www.theregister.co.uk/content/4/27074.html
    http://24.78.2.184/helpcenter.htm
    Zvona
    First Aid for
    Web Design

  • #2
    New to the CF scene
    Join Date
    Sep 2002
    Posts
    9
    Thanks
    0
    Thanked 0 Times in 0 Posts
    the link is:
    hcp://system/DFS/uplddrvinfo.htm?file://c:\test\*

    I'd like to point out that you're obviously not limited to "test".. you can delete anything with this link, such as ...file://c:\DRIVERS\NETWORK\PCI_DATA.EXE.

    =================
    Easy Fix(es)

    1. Delete or Rename the file: "c:\WINDOWS\PCHEALTH\HELPCTR\System\DFS\uplddrvinfo.htm"

    2. Find and Remove the following code from "uplddrvinfo.htm"

    var oFSO = new ActiveXObject ( "Scripting.FileSystemObject" );
    try
    {
    oFSO.DeleteFile( sFile );
    }

    3. Use a browser other than IE

    4. Install Linux ;p

    5. Use the flaw to delete the flaw! Paste the link below in your browser to remove upldrvinfo.htm.
    Code:
    hcp://system/DFS/uplddrvinfo.htm?file://c:\WINDOWS\PCHEALTH\HELPCTR\System\DFS\uplddrvinfo.htm
    Credit goes to Jabberwocky, from Source Guru for the fixes.
    ================

    AARRRGGGHHH!!! I can't get the stupid space between file:// and c:\ to go away! If you paste the link into your address bar, manually remove that space.
    Last edited by teufelfisch; 09-13-2002 at 06:00 PM.
    Recycle Your Pets


  •  

    Posting Permissions

    • You may not post new threads
    • You may not post replies
    • You may not post attachments
    • You may not edit your posts
    •