In case you needed yet another reason to start using another browser, click here (only works if you’re running Internet Explorer). If you’re using MSIE, clicking on that link will get you a Notepad window, with a bit of text already there.
How does this work? First off, let me credit the site that I saw that described this. The view-source protocol is used by MSIE to view the source of files. So, for example, my link above linked to view-source:http://www.utterlyboring.com/images/msieisbad.txt in the href of the link. While that’s not really that evil, it can be used to do some nasty things. On his example page, he shows how it can be loaded upon the page’s loading. And the thing is that the protocol doesn’t know if it’s trying to view the source of an actual HTML file — you can send a graphic through it as well. And you can also link to local files. For example:
view-source:file:///c:\windows\win.ini
view-source:http://www.google.com
Or via an IMG SRC tag:
<img src=view-source:http://www.utterlyboring.com/images/oregon.gif>
It’s a scary little thing. To quote the site about its major problems:
* A Notepad window will pop up automatically in an HTML email message even when scripting is turned off.
* Most popup blocker software packages do not block Notepad popups.
* A simple email HTML message or Web page can easily open thousands of windows causing system stability problems. For example, a single <IMG> tag can tell Notepad to editted the system file c:\windows\system32\shell32.dll and 20 megabytes of virtual memory is consumed. A 100 <IMG> tags would consume 2 gigabytes of virtual memory.
* A Windows system could become corrupted if a user accidentally changes the contents of a system file which appears in Notepad popup window and then saves these changes because they don’t know any better.
Thanks, Microsoft, but I’m running Firebird, thank you, very much.
As a side note, I was going to post this over on Bits & Bytes, but it appears they changed the location of their mt.cgi script. Neil, if you’re reading this, are you still posting over there? Did I miss something? Did they kick a bunch of off or something?
Comments
No idea. I didn’t receive anything from Chris. You might want to email/ICQ him.
Found the new URL, and it doesn’t want my password :(. Oh well, never mind.
Yeah, I found the new URL, too, after a bit of digging, and it wouldn’t take me, either….[shrugs]