Important! how to reach webuser's harddrive?

Hi,

I want to reach a spesific folder in my webuser's computer. Basicly, when a user click a link, my asp page have to go a spesific folder (example C://Documents and Settings/username/blabla) and I have to read all files in this folder.

is there any ocx or dll to reach webuser's computer?

 

uh..... nope.

 

Remember the ocx came from Microsoft on MSN Space. when user accept activex, it reads our harddisk to add pitcures. There must have been an ocx. I have to find or I will die

 

I hope not

You can make an ocx yourself, but it works on IE only.

 

you can read a file using the FSO (File System Object)

<%
Set fs=Server.CreateObject("Scripting.FileSystemObject")
Set f=fs.OpenTextFile("C:/Documents and Settings/username/blabla.txt", 1)
Response.Write(f.ReadAll)
f.Close
Set f=Nothing
Set fs=Nothing
%>

 

thats for the server that hosts your site and not for client side

 

Yes that's for server side. There must be something else way to read client side.

 

Usually you get the client side info via JavaScript. but it doesn't give you the info about the hard drive (maybe, not completely shure).

There is another point that if there is a way to access someone's hard drive than all the PC may get hacked, so I think you need to find a hole in IE

 

First off you are gona need permission from each user, otherwise it could and will be seen as hacking (up to 25 years in prison). Second the only way to really do it is ActiveX and you will need to get that digitly signed otherwise the anti virus software will catch it and warn the user. There is no standard ActiveX to do this, you will need to script it and complile it yourself. Third did you try VBScript client side posting information back to the server! But IE will catch that and stop it on newer upto date patched versions. Your best off forgetting trying to do that, what could possible be on a users hard drive that you want to read?? And with the new IE coming out it wont be long before it will be stopped!

 

Yes, I've done it on a couple of projects in the past, but it requires you to create an activex control which the user has to install. Most users will not do this, so unless you're working in a controlled environment (like I was) where the users know all about the control and want to install it, then forget it.

regards

 

Browsers don't allow this due to user's security settings. Firefox and opera strictly forbid this, while IE uses security zone to enforce the permissions given to web page.

So as IE normally flag web pages as in Internet Zone, you can't mess up user's computer. There's exception when you exploit security hole of IE to make your page looks as if it's in Local Zone and use Javascript to access local files, or lure the user to install your malicious ActiveX control.

Search for "Internet explorer 6 privilege escalation" if you want to go with hacking way. I'm doubt you find a working one nowadays, because IE and Windows are going concrete in term of safty now.

IE users, if you surf untrusted web pages, don't ever install any ActiveX control. It's like installing virus into your computer.