R o o t s e c u r e . n e t The Security News Site For Systems Administrators & Hackers Thursday, 2nd September 2010 @ 19:12:22 GMT  Rootsecure Homepage About RootSecure Lite Edition User Area Audio News Daily Newsletter Site News Archives Sources News Archive SecNews RSS Feeds SecNews Console Links:    Videos    Security    Hacking    Wireless Downloads:    Other    Perl Scripts    Audio Clips    Win32 Tools    Media Archive    PDF Documents Reports Hacker Gear Win' Error Pic's ASCII Generator Your IP Address RootSecure:    Contact    Search    Publicity    Affiliates    Attack Statistics    Syndication    (RSS/XML Feed)    Privacy Policy Hits: 115,853,377 (Since 06/09/02) Admin Telnet HoneyPot Project Reports | Internet Explorer arbitrary command execution (user interaction required) {26th Sep 2004} Affected:  Windows XP (SP1) Windows XP (SP2) - with limitations Problem: The Internet Explorer "View… Source" feature, appears not to use a fully specified path to notepad.exe. If an attacker is able to convince the user to download (or otherwise have) a file named notepad.bat / notepad.exe on their desktop, it will be executed when clicking "View… Source" in Internet Explorer. Additionally on Windows XP (pre SP2) the view source feature can be run automatically on visiting a web page (in service pack 2 the view source feature appears to have been removed, additionally the warning toolbar is displayed). <html> <head> <script language=JavaScript> function viewsource() { window.location = "view-source:" + window.location.href } </script> </head> <body onload="javascript:viewsource()"> <a href="javascript:viewsource()">View Source</a> </body> </html> The problem of view source executing files on the desktop named "notepad" appears to have been known about at least since December 2002.