[WEB4LIB] re: deny file://c:\ link?

Mike Mitchell mdm at nbpl.lib.tx.us
Tue Oct 27 10:55:45 EST 1998


        If anyone is interested I got a couple of responses to this query of
mine. None really stopped the exploit itself. Amongst them were a suggestion
to use a program called PCRdist <http://www.pyzzo.com> to check and restore
the file system regularly. I like this idea since there are multiple other
ways to get to the harddrive despite our best efforts. It was also noted
that this exploit works differently in Netscape and, I suppose, other
browsers and certainly with other OSs.
        I finally decided to disallow running any programs except the ones I
specified through poledit and maintaining good backups. We don't have a big
hacker problem and I basically trust our patrons. That is the Library Way
isn't it?

Mike

At 08:46 AM 10/26/98 -0800, you wrote:
>Sorry for reposting but I'm a little concerned about how to stop this but
>have yet to get any responses. 
>
>What must I do to keep a page like this:
>
><http://207.207.16.101/~mdm/>
>
>from opening Win95 Explorer and making the C:\ drive available to the patron
>using Internet Explorer 3.x? Until I accidentally came upon this, I've been
>using the Win95 policy editor and Winselect 3.x to lock down the computers
>with good success. The drives are hidden and users can't type in file: or c:
>in the Iexplorer address box, etc. But, once they get the C: drive open with
>this (and they can make their own page like this easily enough through Yahoo
>or whatever) they can do anything they want. So, obviously I just have the
>user interface locked down and not the system itself. Must I employ
>something like Fortress 101 to prevent this or is a way to just disable the
>file:// URL execution in IExplorer. I've seen that it takes a hex editor to
>do this in Netscape. I know I can use Win95 policy editor to only allow
>certain programs to be run after they get the C: drive open but I'd rather
>not do that unless I have to- seems like a good way to disable too much. TIA.
>
>Mike Mitchell
>Tech Services Librarian/System Administrator
>Dittlinger Memorial Library
>New Braunfels, TX 
>mdm at nbpl.lib.tx.us
>
>
>



More information about the Web4lib mailing list