tags:

views:

489

answers:

5
+5  Q: 

Suprisingly, JavaScript Code could execute any process it want. Why?

I asked "How to run a executable file from a web page?"

Many people told me that's impossible, but my colleague find a piece of JavaScript code that could execute any process. I can not believe ActiveX is so dangerous.

How could this happen? Why this is not forbidden by IE?

    <SCRIPT   language=JavaScript>   
  function   Run(strPath)   {   

  try   {   
  var   objShell   =   new   ActiveXObject("wscript.shell");   
  objShell.Run(strPath);   
  objShell   =   null;   
  }   
  catch   (e){alert('Can not find "'+strPath)   

  }   
  }   
  </SCRIPT>   

  <BUTTON   class=button   onclick="Run('notepad')">notepad</BUTTON><br>   
  <BUTTON   class=button   onclick="Run('mspaint')">mspaint</BUTTON><br>   
  <BUTTON   class=button   onclick="Run('calc')">calc</BUTTON><br>   
  <BUTTON   class=button   onclick="Run('format c:')">format c:</BUTTON><br>
+5  A: 

While you can do this IE will block it saying that there is an

ActiveX Control is trying to access you computer, click here for options

You can only run these if the end user allows them too and hopefully people are clever enough not to allow it to run. If you do allow it then there is always another alert asking if you really want to run this so there should be enough security around it.

AutomatedTester  2009-07-31 09:19:56
+1  A: 

Did you try this?

wscript.shell can't be used in this way from a web page loaded remotely. If you loaded the web page from a local file or have changed your security settings it might work but it won't work when loaded from a remote web server.

John Burton  2009-07-31 09:20:22
This will also happen if you run it from file://
AutomatedTester  2009-07-31 09:21:24
No, it also works remotely. It just asked if the user would like to run a activex, which most people will chose "YES"
ablmf  2009-07-31 09:39:02
It doesn't work on either of the computers I tried it on. Yours must be configured differently
John Burton  2009-07-31 10:24:24
A: 

The good news is IE8 blocks this behaviour, even with a local file. I don't know about IE7, though I would imagine this is also the case. I would doubt it would work with a remote file, even with IE6, otherwise we would have had some major incident by now and a patch would have been issued.

Chris  2009-07-31 09:23:47
No, that's not true. I tested it on IE8. It just ask the user if he would like to run activex.
ablmf  2009-07-31 09:40:07
+3  A: 

Local files run in a different security environment than remote files, so while that will work if you save the file as an html and open it from your computer, if you upload it on a server and try to run it from there it will not work.

Blindy  2009-07-31 09:33:28
A: 

Its depends on your browser's security configuration. In some cases this peace of code will not be executed. But anyway user will be asked to allow ActiveX to run external process:

ActiveX Control is trying to access you computer, click here for options
Paul Podlipensky  2009-07-31 10:20:25

related questions

What JavaScript patterns do you use most?
Javascript events
What style do you use for creating an "class" in JavaScript?
Graphing JavaScript Library
What's the difference in closure style
Getting the text from a drop-down box
How to specify javascript to run when ModalPopupExtender is shown
Length of Javascript Associative Array
How Do I Post and then redirect to an external URL from ASP.Net?
How to set up a CSS switcher in ASP.NET
Wrapping lists into columns
Javascript keyboard events primer? (or rather: help me with my custom dropdown)
Http Auth in a Firefox 3 bookmarklet
Best Debugging Tools for JavaScript/xulrunner Development
How can I turn a string of HTML into a DOM object in a Firefox extension?
Call ASP.NET Function From Javascript?
Javascript troubleshooting tools in IE
MAC addresses in JavaScript
Capturing TAB key in text box
CSS Background Color in Javascript
How can I make the browser see CSS and Javascript changes?
Triple Quotes? How do I delimit a databound Javascript string parameter in ASP.NET?
ASP .Net Custom Client-Side Validation
What JavaScript library would you choose for a new project and why?
Detecting font in JavaScript