You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
There doesn't seem to be a URI scheme validation when the URL is already set on the link.
This makes it possible for attackers to make a malicious link that can open any kinds of URI on the client side, including any executables, deeplinks and files on the directory.
As a result, an attacker can maliciously craft a payload to harm other users by leaving a link on the page.
It may not sound exploitable at all, but if the victim's system has an application that has a vulnerability in the deeplink implementation, this issue can be leveraged to execute an arbitrary code execution.
How to Reproduce
Opening cmd.exe
Create a new document with the following text
[Click Me](file:///C:\Windows\System32\calc.exe)
Convert it to the link -- You can remove ) and readd ) to make it to a link
Bug Description
There doesn't seem to be a URI scheme validation when the URL is already set on the link.
This makes it possible for attackers to make a malicious link that can open any kinds of URI on the client side, including any executables, deeplinks and files on the directory.
As a result, an attacker can maliciously craft a payload to harm other users by leaving a link on the page.
It may not sound exploitable at all, but if the victim's system has an application that has a vulnerability in the deeplink implementation, this issue can be leveraged to execute an arbitrary code execution.
How to Reproduce
Opening
cmd.exe
Convert it to the link -- You can remove
)
and readd)
to make it to a linkClick on a link, Open link
Confirm that cmd is opened
Other possible deeplinks
Expected Behavior
URL needs to be validated and needs to print
Incorrect Link
.Operating System
Windows 11 x86_64
AppFlowy Version(s)
0.5.4
Screenshots
No response
Additional Context
No response
The text was updated successfully, but these errors were encountered: