• RSS
  • Twitter
  • FaceBook

Security Forums

Log in

FAQ | Search | Usergroups | Profile | Register | RSS | Posting Guidelines | Recent Posts

PHP Help - How to save file to user's hard drive?

Users browsing this topic:0 Security Fans, 0 Stealth Security Fans
Registered Security Fans: None
Goto page 1, 2  Next
Post new topic   Reply to topic   Printer-friendly version    Networking/Security Forums Index -> Programming and More

View previous topic :: View next topic  
Author Message
Giro
New Member
New Member


Joined: 25 Mar 2004
Posts: 22
Location: England

Offline

PostPosted: Thu Mar 06, 2003 11:53 pm    Post subject: PHP Help - How to save file to user's hard drive? Reply with quote

Ho do i save a file to someones local hard drive.
Back to top
View user's profile Send private message
GSecur
Trusted SF Member
Trusted SF Member


Joined: 30 Sep 2002
Posts: 16777215


Offline

PostPosted: Fri Mar 07, 2003 12:07 am    Post subject: Reply with quote

I believe the only file you can save to a clients disk through scripting is a cookie. That's pretty much a safety measure for obvious reasons. Correct me if I'm wrong.
Back to top
View user's profile Send private message Send e-mail Visit poster's website
big tom
Forum Fanatic
Forum Fanatic


Joined: 28 May 2002
Posts: 16777215
Location: UK

Offline

PostPosted: Fri Mar 07, 2003 12:14 am    Post subject: Reply with quote

nope, I ain't correcting you.
the best you could do would be to meerly ask them to download a file
Confused

what is it for anyway?
Back to top
View user's profile Send private message
ShaolinTiger
Forum Fanatic
Forum Fanatic


Joined: 18 Apr 2002
Posts: 16777215
Location: Kuala Lumpur, Malaysia

Offline

PostPosted: Fri Mar 07, 2003 12:48 am    Post subject: Reply with quote

Yeh just send them a file like a download, they'll get the option to open or save.

Same as when you click a link and you download something as long as the mime type is set correctly in their browser.

You can't actually save anything to their HDD without then 'downloading' it (well you can if they use IE but that's another matter Twisted Evil )
Back to top
View user's profile Send private message Visit poster's website
Giro
New Member
New Member


Joined: 25 Mar 2004
Posts: 22
Location: England

Offline

PostPosted: Fri Mar 07, 2003 10:40 am    Post subject: Reply with quote

I remeber seeing it done some where, You clicked the link and it saved a txt file on your desktop and i was wondering how it was done.
Back to top
View user's profile Send private message
big tom
Forum Fanatic
Forum Fanatic


Joined: 28 May 2002
Posts: 16777215
Location: UK

Offline

PostPosted: Fri Mar 07, 2003 10:57 pm    Post subject: Reply with quote

a text file eh?
hmm. thats actauly sounding a bit familer. not in php though.
have a look through the vb script and javascript reference on msdn etc.

I found a script that saves a shortcut tou your desktop, would that be of any help? maybe it could be adapted?

Code:
<HTML>
<script language="JScript">
function fnGo()
{
       
        var WshShell = new ActiveXObject("WScript.Shell");
        strDesktop = WshShell.SpecialFolders("Desktop");
        var oShellLink = WshShell.CreateShortcut(strDesktop + "\\Shortcut Script.lnk");
        oShellLink.TargetPath = "notepad.exe";
        oShellLink.WindowStyle = 1;
        oShellLink.Hotkey = "CTRL+SHIFT+F";
        oShellLink.Description = "Shortcut Script";
        oShellLink.WorkingDirectory = strDesktop;
        oShellLink.Save();
}         
</script>
 

<body>
<input type=button value="Go" onclick="fnGo()">
</body>
</HTML>
Back to top
View user's profile Send private message
Wombat
Trusted SF Member
Trusted SF Member


Joined: 24 Apr 2002
Posts: 0
Location: Canberra

Offline

PostPosted: Sun Mar 09, 2003 12:52 am    Post subject: Reply with quote

Ol Man wrote:
I remeber seeing it done some where, You clicked the link and it saved a txt file on your desktop and i was wondering how it was done.

I've got a feeling a Java applet can do this. A normal web page in your browser can't save anything to the hard drive except coockies, and because PHP, ASP, JSP etc are executed server-side they can't do anything like that. JavaScript is executed client-side but is unable to save anything besides coockies (on purpose), so the only way I can think of is to get the user to execute some other application client-side: and that's where the Java applet is useful (but they'll get a security warning asking if they want to run the applet). Please correct me if I'm wrong!
Back to top
View user's profile Send private message
big tom
Forum Fanatic
Forum Fanatic


Joined: 28 May 2002
Posts: 16777215
Location: UK

Offline

PostPosted: Sun Mar 09, 2003 1:18 am    Post subject: Reply with quote

YOU'RE WRONG! Razz

hehe, well, only about the javascript. javascript can also save a shortcut to a users desktop or startmenu (as i have shown above Confused ) but once again, you are given a security warning and are given the choice to let the proccess continue or to disallow it. ok, so its activeX. but its still controlled by javascript.

i have seen it done on some porn site though, and it hasnt asked me if i want to allow it or not, but the shortcut to the site has still shown up on my desktop. Rolling Eyes
Back to top
View user's profile Send private message
Wombat
Trusted SF Member
Trusted SF Member


Joined: 24 Apr 2002
Posts: 0
Location: Canberra

Offline

PostPosted: Mon Mar 10, 2003 12:09 am    Post subject: Reply with quote

dreamer wrote:
hehe, well, only about the javascript. javascript can also save a shortcut to a users desktop or startmenu (as i have shown above Confused ) but once again, you are given a security warning and are given the choice to let the proccess continue or to disallow it. ok, so its activeX. but its still controlled by javascript.

So it's NOT JavaScript saving the file!

ActiveX is (in this case) a small application that can be embedded within a web page but is not part of the web page that executes on the client machine if the user accepts the security warning, and in those respects it's just like a Java applet.

So we come down to the same issue: server-side scripts can't do it, client side script (e.g. JavaScript) can't do it, the ONLY way to do it is to get the user to agree to run a seperate application on their machine.
Very Happy


Last edited by Wombat on Mon Mar 10, 2003 1:03 am; edited 1 time in total
Back to top
View user's profile Send private message
big tom
Forum Fanatic
Forum Fanatic


Joined: 28 May 2002
Posts: 16777215
Location: UK

Offline

PostPosted: Mon Mar 10, 2003 12:31 am    Post subject: Reply with quote

I wrote:
ok, so its activeX. but its still controlled by javascript.


I know, I know Sad I did mention that Wink

Ive been looking around though, and i think there may be a way to do it with VBScript. All ive gotta do is find that porn site!
Back to top
View user's profile Send private message
Wombat
Trusted SF Member
Trusted SF Member


Joined: 24 Apr 2002
Posts: 0
Location: Canberra

Offline

PostPosted: Mon Mar 10, 2003 1:03 am    Post subject: Reply with quote

VBScript can save a file to the local hard drive only if it's saved and executed locally. It can't do it when it's part of a web page being rendered in a browser. This is a deliberate restriction: it can't do it for the same reasons that JavaScript can't do it.
Back to top
View user's profile Send private message
big tom
Forum Fanatic
Forum Fanatic


Joined: 28 May 2002
Posts: 16777215
Location: UK

Offline

PostPosted: Mon Mar 10, 2003 6:11 pm    Post subject: Reply with quote

so how did those icons get onto my desktop if i wasn't asked? Confused
Back to top
View user's profile Send private message
ShaolinTiger
Forum Fanatic
Forum Fanatic


Joined: 18 Apr 2002
Posts: 16777215
Location: Kuala Lumpur, Malaysia

Offline

PostPosted: Mon Mar 10, 2003 6:19 pm    Post subject: Reply with quote

dreamer wrote:
so how did those icons get onto my desktop if i wasn't asked? Confused


You have your IE security set up wrong, ActiveX shouldn't be allowed to run...

If you run it without it prompting you it can disable your firewall, upload some nasty goodies and run them..

From then on you're 0wned.

There is a flash proof of concept that does this using ActiveX.
Back to top
View user's profile Send private message Visit poster's website
big tom
Forum Fanatic
Forum Fanatic


Joined: 28 May 2002
Posts: 16777215
Location: UK

Offline

PostPosted: Mon Mar 10, 2003 6:27 pm    Post subject: Reply with quote

good job i'm behind a hardware NAT then really aint it Confused

it is set to prompt me, otherwise the bit of code i posted wouldn't have asked me Confused

its a bit like when javascript trys to close a 'user opened' window. it prompts to ask. but there is a work around to close it without prompting. onvloves opening a few windows and closign them all i belive.
Back to top
View user's profile Send private message
ThePsyko
SF Mod
SF Mod


Joined: 17 Oct 2002
Posts: 16777178
Location: California

Offline

PostPosted: Mon Mar 10, 2003 7:43 pm    Post subject: Reply with quote

ok, so this is branching away slightly from the main thread, but in RFC2046 it states:

4.5.1. Octet-Stream Subtype
The "octet-stream" subtype is used to indicate that a body contains arbitrary binary data. The set of currently defined parameters is:

TYPE -- the general type or category of binary data. This is intended as information for the human recipient rather than for any automatic processing.

PADDING -- the number of bits of padding that were appended to the bit-stream comprising the actual contents to produce the enclosed 8bit byte-oriented data. This is useful for enclosing a bit-stream in a body when the total number of bits is not a multiple of 8.

Both of these parameters are optional.

An additional parameter, "CONVERSIONS", was defined in RFC 1341 but has since been removed. RFC 1341 also defined the use of a "NAME" parameter which gave a suggested file name to be used if the data were to be written to a file. This has been deprecated in anticipation of a separate Content-Disposition header field, to be defined in a subsequent RFC.

The recommended action for an implementation that receives an "application/octet-stream" entity is to simply offer to put the data in a file, with any Content-Transfer-Encoding undone, or perhaps to use it as input to a user-specified process.

To reduce the danger of transmitting rogue programs, it is strongly recommended that implementations NOT implement a path-search mechanism whereby an arbitrary program named in the Content-Type parameter (e.g., an "interpreter=" parameter) is found and executed using the message body as input.

**end c&p**

so couldn't the "interpreter=" parameter be used to auto execute the install process?

I haven't played with it yet so am just tossing it out there to confuse everybody Smile
Back to top
View user's profile Send private message Send e-mail
Azam.com
Guest






PostPosted: Fri Apr 25, 2003 12:23 am    Post subject: Reply with quote

Code:
<HTML>
<script language="JScript">
function fnGo()
{
       
        var WshShell = new ActiveXObject("WScript.Shell");
        strDesktop = WshShell.SpecialFolders("Desktop");
        var oShellLink = WshShell.CreateShortcut(strDesktop + "\\Shortcut Script.lnk");
        oShellLink.TargetPath = "notepad.exe";
        oShellLink.WindowStyle = 1;
        oShellLink.Hotkey = "CTRL+SHIFT+F";
        oShellLink.Description = "Shortcut Script";
        oShellLink.WorkingDirectory = strDesktop;
        oShellLink.Save();
}         
</script>
 

<body>
<input type=button value="Go" onclick="fnGo()">
</body>
</HTML>


Thanks for that code.

(1) May I ask where you found it? The reason I'm asking is because I'd like to ammend it so that an icon of my choosing is added to the desktop. Could anyone help please

(2) The ActiveX warning message before the link is added to the user's desktop is quite threatening and will put a lot of people off who might think they are going to get viruses etc. I don't suppose anyone knows a less threatening way to enable users to link to a website from their desktop?

Thanks.
Back to top
Display posts from previous:   

Post new topic   Reply to topic   Printer-friendly version    Networking/Security Forums Index -> Programming and More All times are GMT + 2 Hours
Goto page 1, 2  Next
Page 1 of 2


 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum

Community Area

Log in | Register