Reply to Re:  vs — HTML

Posted by TC on 09/13/06 13:33

TC wrote:
> TC wrote:
>
> > I haven't tested that case myself, but, I'm absolutely confident that
> > MS know what they are doing with this, and therefore, that it would
> > *not* serve to elevate the untrusted page's security zone. But I will
> > test this in due course.

Back from dinner.

Here's my final guess, prior to actually testing it: IE will *ignore*
all MOTWs in pages that are run from the web (as opposed to pages that
are run from the local filesystem).

This, if true, would prove my contention that you can not use MOTW to
illegally elevate your page permissions - unless you have access to the
local filesystem (and can alter the filesystem copy of the page *and*
get the user to run it from there - in which case, the system is owned
regardless).

I'll test this tomorrow. But that's my bet on how it will work.

TC (MVP MSAccess)
http://tc2.atspace.com

[Back to original message]

Удаленная работа для программистов • Как заработать на Google AdSense • England, UK • статьи на английском • PHP MySQL CMS Apache Oscommerce • Online Business Knowledge Base • DVD MP3 AVI MP4 players codecs conversion help

Home • Search • Site Map • Set as Homepage • Add to Favourites

Сайт изготовлен в Студии Валентина Петручека —
изготовление и поддержка веб-сайтов, разработка программного обеспечения, поисковая оптимизация