Re: hta security with adodb.stream

From: Reto Ravasio (reto_at_nospam.com)
Date: 07/08/04 

Date: Thu, 8 Jul 2004 18:51:11 +0200

"Reto Ravasio" <reto@nospam.com> wrote in message
news:OCDmuoOZEHA.2432@tk2msftngp13.phx.gbl...
> I have an old script (hosted in MSHTA) that isn't working anymore on some
> machines.
>
>
> pc1 (W2K-sp3, ADO 2.8, IE6 sp1) I get the following:
> 'this page is accessing information that is not under its control. This
> poses a security risk. Do you want to continue?'
> pressing yes results in:
> 'Safety settings on this computer prohibit accessing a data source in
> another domain'
> pressing no gives:
> 'permission denied'
>
> pc2 (W2K-sp3,ADO 2.6, IE5.5 sp1)
> works perfectly
>
> pc3 (W2K-sp3,ADO 2.6, IE5.5 sp1)
> 'This page is accessing a data source on another domain. Do you want to
> allow this ?'
> pressing yes: works
> pressing no results in:
> 'safety settings on this computer prohibit accessing a data source on
> another domain
> do you want to continue running scripts on this page?'
>
> pc4&5: (XP Professional & Home latest stuff&patches installed)
> works perfectly:
>
>
>
> I think that pc1 & pc3 are acting differently because of the different ado
> versions. what absolutely confuses me is that some pc's popup typical ie
> warning messages. I always thought that MSHTA has a different security
> implementation.
> Can anyone explain this behavior or has anyone else encountered a similar
> problems?
>
> reto
>
>
> Note:
> - all the w2k pc's have 'access data sources across domains' for the local
> computer enabled.
> - the script is running from a local harddisk.
> - there are some variations in installed patches (i'm still checking on
> that)
Just finished checking patches. the differences are:

pc2:
Q295688, Q828026, Q828026, dx819696

pc3:
Q811493, wm828026, KB819696, KB810217, KB810217, Q811493, KB819696,
KB839643

all of these patches have nothing obvious to do with zone handling and/or
data access.

>
>
> ********* httpget.hta *********
> <html>
> <head>
>
> <script language="javascript">
> function HTTPGet() {
>
> var xhtm = new ActiveXObject("Microsoft.XMLHTTP");
> xhtm.Open("GET",idSource.value,0);
> xhtm.Send();
>
> var shtml = new ActiveXObject("ADODB.Stream");
> shtml.Mode = 3;
> shtml.Type = 1;
> shtml.Open();
> shtml.Write(xhtm.responseBody);
> shtml.SaveToFile(idDest.value,2);
> }
> </script>
> </head>
>
> <body>
> <table>
> <tr>
> <td>input:</td>
> <td><input id='idSource' type="text"
> value="http://www.microsoft.com" style="width:200px"></td>
> <tr>
> <tr>
> <td>output:</td>
> <td><input id='idDest' type="text" value="C:\temp\test.txt"
> style="width:200px"></td>
> <tr>
> <table>
> <button onclick='HTTPGet()'>http Get</button>
> </body>
> </html>
> ***********
>
>
>