Just in case an example is required, hot off the press... https://threatpost.com/researcher-exploits-microsofts-notepad-to-pop-a-shell/145242/ -mb On Fri, May 31, 2019 at 12:02 PM Michael Butash wrote: > Keep in mind, what you're asking to do (I think) is essentially allowing > html and hosted files to transcend the browser to open files in the os and > launch a file with a given application, with whatever consequences there > are in doing so. > > Think about the security implications of this. Microsoft thought this > would be the shiznit with ActiveX 20+ years ago, and then everyone > exploited it to death to introduce drive-by infections for the next couple > decades. Embed some obfuscated powershell (or whatever is currently in > vogue) in an office file, download, launch, and voila! Exploit. This is > still how most phishers and malwares get in via email or http links, thanks > microsoft. Same with CD/Flash-based autorun - another very bad idea that > presumes far too much trust in what it's executing. > > This presumes the end-application is exploitable (which you just presume > as course with microsoft), but these sorts of methods are almost always > exploited despite the os, even linux likely. Why Java and Flash made such > a great malware runtime engine for 25 years, not to mention windoze itself > with IE/ActiveX. > > Better off looking at using some sort of server-side html5 text editing > application, ala google sheet or like, and keep it server-side vs. trying > to bring it into local executable space on your os. Or as mentioned, just > URI launch a local text-editor, and know you'll have to re-upload an > updated version one way or another. > > Maybe misinterpretation of what you're trying to achieve, but sounds > dubiously bad (which I think we're all saying). As ET mentioned, maybe > just being poorly described what you are trying to accomplish. > > -mb > > > > > On Fri, May 31, 2019 at 11:38 AM wrote: > >> As Stephen said: no. >> With the short answer out of the way, and excluding the complicated >> overhead >> to setup such an environment just for that, your question begs another >> question: >> What are you trying to accomplishing? >> I looks to me more like you are asking the wrong (and probably confused) >> question than having an esotheric problem. :) >> ET >> >> >> Stephen Partington writes: >> >> > HTML? no. Javascript? possible. Most of the web is really designed to >> not >> > allow this. There are some powerful JS writers, LibreOffice in the web >> and >> > more. >> > >> > On Fri, May 31, 2019 at 10:16 AM Joe Lowder >> wrote: >> > >> >> Is it possible to write (the simplest possible) >> >> html code that will open a text file from a simple >> >> menu entry using the 'kwrite' editor ... that will >> >> allow me to write and edit in a pre-named text file >> >> and save the changes? >> >> >> >> I do this now from the command line: >> >> >> >> $ kwrite filename >> >> >> >> But I would like to be able to do it by simply >> >> clicking on an entry in a simple html menu. >> >> >> >> These attempts do not work: >> >>
  • open notes text file >> >>
  • open notes with kwrite >> >>
  • open notes with exec >> >> >> >> >> >> >> >> --------------------------------------------------- >> >> PLUG-discuss mailing list - PLUG-discuss@lists.phxlinux.org >> >> To subscribe, unsubscribe, or to change your mail settings: >> >> https://lists.phxlinux.org/mailman/listinfo/plug-discuss >> > >> > >> > >> > -- >> > A mouse trap, placed on top of your alarm clock, will prevent you from >> > rolling over and going back to sleep after you hit the snooze button. >> > >> > Stephen >> --------------------------------------------------- >> PLUG-discuss mailing list - PLUG-discuss@lists.phxlinux.org >> To subscribe, unsubscribe, or to change your mail settings: >> https://lists.phxlinux.org/mailman/listinfo/plug-discuss > >