Ticket ID: 7583 Creation Date: 12/2/2008 3:39 PM Product: SiteKiosk Classic Windows Attachment: -
TicketType: Support Request Version: 6.6.213 Language: English
Views: 37008 Last Modification Date: 3/2/2009 2:13 PM Platform: Windows XP Professional
Level: Closed IE: 7.0
Bug Status: Fixed User account: SiteKiosk Restricted User Bug Frequency: Unknown

Support Request: access system via about:blank

Reproduction

Hi

There's a way to access whole system via about:blank page, when typed in address bar: 

 about:blank<input type=file>


You can click on BROWSE and access everything You want, run apps and all.

So... What now?

Description

Answer: (5)
Re: access system via about:blank 12/2/2008 4:31 PM
Hello,

Thank you for this notification. This is a known bug of SiteKiosk 6 and it is fixed in SiteKiosk 7.
You can also fix it within SiteKiosk 6.6 by editing the corresponding skin:

Example for IESkin:
Open the "Initila.js" file at "...\SiteKiosk\Skins\IESkin\Scripts" with an editor.
Search for 

....
// Title was changed
function OnTitleChange(strTitle)
{
document.all["Title"].innerHTML = "" + strTitle + " - " + LoadString(500); …


Then change the innerHTML tag to innerText: 

...
// Title was changed
function OnTitleChange(strTitle)
{
document.all["Title"].innerText = "" + strTitle + " - " + LoadString(500); …


If you need help doing it for another skin let me know.

Regards,
Michael Olbrich
Re: access system via about:blank 12/3/2008 8:26 AM
Hi

Thanks but it helped only in title bar. Still in body of page there is an "Browse..." button. What can we do about that?
Re: access system via about:blank 12/3/2008 9:25 AM
Hello,

Only when opening the explorer via the title it is a security risk (as then it will run with other user rights and you can execute applications).
This issue is fixed.

Within the web page it is no security risk as this explorer will be started with the user rights of the actual user and you can’t execute applications.
When using the restricted SiteKiosk user you even can’t access all folders (System-Security-Manager-->Folder Access).
Then it is the same like e.g. using Notepad and “Save as..”.

But when you want to block the explorer window at all you can use the Windows and Dialogs Management.

Regards,
Michael Olbrich
Re: access system via about:blank 12/4/2008 2:05 PM
Hi

I've managed get ride of it by adding to Surfing Area rule "Denied" with protocol "*" and URL " about:*<* " so page about:blank can be displayed but all html tags written after it are blocked.

Do You think this is ok?
Re: access system via about:blank 12/4/2008 3:54 PM
Hello,

When you just want to block all URLs containing *about:*<* it will work.

Regards,
Michael Olbrich
My Account
Login
Language (Tickets):