Problems with running .EXE from web 2

[kimbly]

Hi, I'm using a VBScript to run a .EXE file, as well as write to and read from text files, and it runs smoothly from my hard drive. I would like to get this project working on a website, but have not been successful in my various attempts. Although the error message I've been getting is empty, my guess is that this could possibly stem from not knowing what I should have for the file path (\\

http://www.ccad.uiowa.edu\~kfarrell\

didn't work... ?)
The web directory:

http://www.ccad.uiowa.edu/~kfarrell/

This directory contains the script as well as the .EXE file and text files.

Here are code snippets I used before attempting to transfer the program to the web:

' Create files to write
Set choiceDAT = system.CreateTextFile("choice.dat", True)

' Execute pos_predic.exe
Set WshShell = CreateObject("WScript.Shell&quot
WshShell.Run "cmd /C pos_predic",1,True

This works well from my hard drive. I appreciate any help on how I should change this code to meet web needs or any other suggestions that might help.

Thanks!

 

[dilettante]

It sounds like what you might really have there is a web page using DHTML rather than a VBScript. Is that right?

No matter what scripting language you use, whether VBScript, JScript, Perl, Rexx, or whatever you have installed, Internet Explorer will enforce ActiveX security rules. If you have IE set up with high security for Internet sites and low security for intranet sites, and perhaps list your own computer as a trusted site... well you're going to see varying results depending on where the page is hosted.

There isn't really a lot you can do about this. Even if you make the security settings liberal for your machine, most likely nobody else is going to use such wide-open settings and your page will not function as expected for them.

The reason for all of this is actually pretty obvious: to keep malicious code from being posted to the web that will screw up users' machines. Even code intended for GOOD purposes can be abused when manipulated by script - MS calls this "repurposing" of ActiveX controls.

There are some alternatives you could use to deploy applications written primarily in VBScript via the web. None of them will operate "silently" however - the user will always see at least a security dialog they can refuse, or they'll have to accept a download and install it. MS still has holes crop up in their web security, but most of the easy paths have been plugged.

Maybe if you can tell us more about what you want to do, how it is to be used, etc. we could suggest some approaches.

 

[kimbly]

Thanks for responding, let me see if I can make my problem more clear.

I am indeed using VBScript, but I neglected to mention that it is within a program called EON Reality. This is a program for creating 3D simulations, and these simulations can be deployed via the web. I can use VBScript to add more functionality to a simulation. In this particular instance, the script must write a file, run an executable, and read a file. To see a version of my particular simulation online, with this script not working, visit

http://www.ccad.uiowa.edu/~kfarrell/index.htm

The script does work from the hard drive, as I have mentioned.

The error I encounter according to the message is from not finding the file. Furthermore, when I used no path hoping to indicate the file was in the same directory (i.e. - Set choiceDAT = system.CreateTextFile("choice.dat", True)), the file was actually created on my machine's desktop rather than writing to the file in the web directory. This also lead me to beleive that my problem is in the path.

I had thought about the fact that security would need to be enforced, but am not sure how to deal with it. Is the security dialog something that will come up automatically if I can get the path working correctly? Or is there some script I should write to handle it?

I appreciate all the help! Thanks.

 

[dilettante]

Ahh... the lightbulb comes on over here finally!

I looked at your index.htm and briefly at your script includes as well. I wasn't sure WHAT was going on for a bit!

Then I reread your initial post in this thread.

I think you are under a series of misconceptions here, but the most fundamental one is to think HTTP can function as a transparent Windows file system.

Script on a client page cannot read or write files on the web server. At best your client script might read/write files on the client system, and only then if the right security options are set on the user's browser and the user authorizes the use of unsafe ActiveX components when warned about them.

And you sure as heck can't run a program located on a web server from client script. At best you might have a user download an installer package, install it, and then run it locally. Once installed locally the script might even be able to run it locally. Of course you still have the ActiveX security hurdles (already described) to overcome.

Code like this:

<HTML>
<HEAD>
  <SCRIPT LANGUAGE=&quot;VBSCRIPT&quot;>
  Dim WshShell, FSO, ProcEnv
  Set WshShell = CreateObject(&quot;WScript.Shell&quot;)
  Set FSO = CreateObject(&quot;Scripting.FileSystemObject&quot;)
  Set ProcEnv = WshShell.Environment(&quot;Process&quot;)

  Sub Report(strProgress)
    txtProgress.value = txtProgress.value & strProgress & vbCrLf
  End Sub

  Sub btnGo_onclick
    Dim strEnvTemp, strName, streamIO, strCommand, strData

    txtProgress.value = &quot;&quot;
    txtOutput.style.visibility = &quot;hidden&quot;
    txtOutput.value = &quot;&quot;
    strEnvTemp = ProcEnv(&quot;TEMP&quot;)
    If ProcEnv(&quot;OS&quot;) = &quot;&quot; Then
        strCommand = &quot;command&quot; 'Win 9x family
    Else
        strCommand = &quot;cmd&quot; 'Win NT family
    End If
    strName = strEnvTemp & &quot;\&quot; & CStr(Int(Rnd * 10000000))

    Report &quot;Creating initial file &quot; & strName & &quot;.raw&quot;
    Set streamIO = FSO.CreateTextFile(strName & &quot;.raw&quot;, True) ' True = Overwrite
    streamIO.WriteLine &quot;walrus&quot;
    streamIO.WriteLine &quot;zebra&quot;
    streamIO.WriteLine &quot;elephant&quot;
    streamIO.WriteLine &quot;aardvark&quot;
    streamIO.Close
    Set streamIO = Nothing

    Report &quot;Sorting data&quot;
    WshShell.Run strCommand & &quot; /C sort &quot; & strName & &quot;.raw >&quot; & strName & &quot;.srt&quot;, 0, True

    Report &quot;Reading sorted file &quot; & strName & &quot;.srt&quot;
    Set streamIO = FSO.OpenTextFile(strName & &quot;.srt&quot;, 1) ' 1 = ForReading
    While Not streamIO.AtEndOfStream
      strData = streamIO.ReadLine
      txtOutput.value = txtOutput.value & strData & vbCrLf
    Wend
    streamIO.Close
    Set streamIO = Nothing
    txtOutput.style.visibility = &quot;visible&quot;

    Report &quot;Cleaning up&quot;
    FSO.DeleteFile strName & &quot;.raw&quot;
    FSO.DeleteFile strName & &quot;.srt&quot;
    
    Report &quot;Complete&quot;
  End Sub
  </SCRIPT>
</HEAD>
<BODY>
  <INPUT ID=&quot;btnGo&quot; TYPE=&quot;BUTTON&quot; VALUE=&quot;Go&quot;><BR>
  <TEXTAREA ID=&quot;txtProgress&quot; COLS=&quot;60&quot; ROWS=&quot;10&quot;> </TEXTAREA><BR>
  <TEXTAREA ID=&quot;txtOutput&quot; COLS=&quot;60&quot; ROWS=&quot;10&quot; STYLE=&quot;visibility: hidden&quot;> </TEXTAREA>
</BODY>
</HTML>

... Will run just fine if this page is stored on the user's hard drive. They will still get an ActiveX warning they must OK though, unless somebody has set their IE security to "no prompt" for local unsafe ActiveX controls.

But the reason it works is that sort.exe is assumed to already be installed on their computer!

You can even make it work from a web server, if the IE security settings for the web server or its network are set low enough. Once again, it only works because sort.exe is already installed.

And even then this page can't be modified to write the "raw" or the "srt" files on the web server's hard drives.


Now "can't" and "impossible" are bad words to use. With enough ingenuity you can make almost anything happen somehow. But browser security works very hard to keep such things from happening to prevent users' systems from being corrupted/infected, and server security fights to keep the server safe as well.

The only way I can think of to do this sort of thing is for the user to upload input to a posting acceptor of some sort at the server, the server to run your program, and then to present the result file for the user as a download they can do. And this assumes you want the user to do this in the first place: it sounds like the input and/or output is supposed to stay at the server or something. Perhaps the output is to be displayed back formatted as an HTML page or something?

In any case, you need to run your program server-side. Even if you DID get it to run client-side for some reason by some method (installing it on every user's machine?) you aren't going to be able to have the client read/write the server's hard drive.


If I've missed the point, try explaining further. Maybe somebody can still help you with this.

 

[dilettante]

Wow, I took another, much closer look at your index.htm and the script include files.

This code seems to be trying to have the client page rewrite itself with HTML to call in either an EON Java applet or an EON ActiveX control (dep. on whether Netscrape or IE).

I see no evidence at all of any attempt to Run any .exe file at all, or for that matter to write a file or read one.

I'm pretty lost now, your index.htm just hangs the browser (IE) with a blank white screen when I click your link above. And your VBScript just seems to have some "helper code" to deal with some limitation having to do with arrays in Javascript??? I see no FSO or WshShell used anyplace here.


You are right about the current directory though. IE at least (not sure about "that other browser&quotdefaults to its current directory being your Windows Desktop. That's why my silly example above looked up the "TEMP" directory as a place to put its ".raw" and ".srt" files.

 

[kimbly]

Hi again, thanks for the replies. The file "index.htm" itself has only the script automatically generated by EON. My script to read/write/execute the files is actually within the simulation that gets loaded by the script in "index.htm", and hence is not seen by anyone viewing the source code. Based on your response, it seems what I was remotely hoping would work will not. I think my best bet is instead to prompt the user to download these files to their harddrive and then run the simulation. Thanks for being so patient with me, I am new to internet securities, client/server programming and what not, but it all makes sense. Thanks again for the tips!
K Farrell

 

[FengShui1998]

kimbly,

You can run executables on the WEB server from an ASP page. But you do need to call out the paths to the file as if you were on the web server itself, not your workstation.

fengshui_1998

Test.asp
--------------------------

<%response.buffer=true%>
<html>
<head>
<!-- Meta Tags for Webcrawler -->
<META HTTP-EQUIV=&quot;Pragma&quot; CONTENT=&quot;no-cache&quot;>


<title>My Form</title>
<link rel=&quot;stylesheet&quot; type=&quot;text/css&quot; href=&quot;styles/default.css&quot;>

</head>
<body>
<%
Set WshShell = Server.CreateObject(&quot;wscript.Shell&quot
strCMD =&quot;cmd /C mypath\myprogram&quot;
WSHShell.run strCMD,0,True
Response.write &quot;DONE&quot;
%>
</body>
</html>


fegnshui_1998