Just in case an example is required, hot off the press...
https://threatpost.com/researcher-exploits-microsofts-notepad-to-pop-a-shell/145242/
-mb
On Fri, May 31, 2019 at 12:02 PM Michael Butash <
michael@butash.net> wrote:
> Keep in mind, what you're asking to do (I think) is essentially allowing
> html and hosted files to transcend the browser to open files in the os and
> launch a file with a given application, with whatever consequences there
> are in doing so.
>
> Think about the security implications of this. Microsoft thought this
> would be the shiznit with ActiveX 20+ years ago, and then everyone
> exploited it to death to introduce drive-by infections for the next couple
> decades. Embed some obfuscated powershell (or whatever is currently in
> vogue) in an office file, download, launch, and voila! Exploit. This is
> still how most phishers and malwares get in via email or http links, thanks
> microsoft. Same with CD/Flash-based autorun - another very bad idea that
> presumes far too much trust in what it's executing.
>
> This presumes the end-application is exploitable (which you just presume
> as course with microsoft), but these sorts of methods are almost always
> exploited despite the os, even linux likely. Why Java and Flash made such
> a great malware runtime engine for 25 years, not to mention windoze itself
> with IE/ActiveX.
>
> Better off looking at using some sort of server-side html5 text editing
> application, ala google sheet or like, and keep it server-side vs. trying
> to bring it into local executable space on your os. Or as mentioned, just
> URI launch a local text-editor, and know you'll have to re-upload an
> updated version one way or another.
>
> Maybe misinterpretation of what you're trying to achieve, but sounds
> dubiously bad (which I think we're all saying). As ET mentioned, maybe
> just being poorly described what you are trying to accomplish.
>
> -mb
>
>
>
>
> On Fri, May 31, 2019 at 11:38 AM <kitepilot@kitepilot.com> wrote:
>
>> As Stephen said: no.
>> With the short answer out of the way, and excluding the complicated
>> overhead
>> to setup such an environment just for that, your question begs another
>> question:
>> What are you trying to accomplishing?
>> I looks to me more like you are asking the wrong (and probably confused)
>> question than having an esotheric problem. :)
>> ET
>>
>>
>> Stephen Partington writes:
>>
>> > HTML? no. Javascript? possible. Most of the web is really designed to
>> not
>> > allow this. There are some powerful JS writers, LibreOffice in the web
>> and
>> > more.
>> >
>> > On Fri, May 31, 2019 at 10:16 AM Joe Lowder <joe@actionline.com>
>> wrote:
>> >
>> >> Is it possible to write (the simplest possible)
>> >> html code that will open a text file from a simple
>> >> menu entry using the 'kwrite' editor ... that will
>> >> allow me to write and edit in a pre-named text file
>> >> and save the changes?
>> >>
>> >> I do this now from the command line:
>> >>
>> >> $ kwrite filename <E>
>> >>
>> >> But I would like to be able to do it by simply
>> >> clicking on an entry in a simple html menu.
>> >>
>> >> These attempts do not work:
>> >> <li><a href=file:/home/joe/notes>open notes text file</a>
>> >> <li><a href="exec kwrite notes">open notes with kwrite</a>
>> >> <li><a href="exec /usr/bin/kwrite notes">open notes with exec</a>
>> >>
>> >>
>> >>
>> >> ---------------------------------------------------
>> >> PLUG-discuss mailing list - PLUG-discuss@lists.phxlinux.org
>> >> To subscribe, unsubscribe, or to change your mail settings:
>> >> https://lists.phxlinux.org/mailman/listinfo/plug-discuss
>> >
>> >
>> >
>> > --
>> > A mouse trap, placed on top of your alarm clock, will prevent you from
>> > rolling over and going back to sleep after you hit the snooze button.
>> >
>> > Stephen
>> ---------------------------------------------------
>> PLUG-discuss mailing list - PLUG-discuss@lists.phxlinux.org
>> To subscribe, unsubscribe, or to change your mail settings:
>> https://lists.phxlinux.org/mailman/listinfo/plug-discuss
>
>
---------------------------------------------------
PLUG-discuss mailing list -
PLUG-discuss@lists.phxlinux.org
To subscribe, unsubscribe, or to change your mail settings:
https://lists.phxlinux.org/mailman/listinfo/plug-discuss
(text/plain)