Fierelier/notepad-plus-plus-legacy
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

[EU-FOSSA] Fix a security issue: RCE via unsanitized command line in "Open containing folder"

Browse Source 
Summary of the Issue:
A remote code execution (RCE) vulnerability was found when a user opens a crafted containing folder in the command line. Code execution is possible by injecting a & followed by system commands into the name of the folder.

Steps to reproduce:
Download the attached archive on Windows: unzip_me.zip (F404758)
Unzip it and navigate into it
Open the txt file inside with Notepad++
Go to File -> Open containing folder -> cmd

Impact statement:
Successful exploitation of this vulnerability would allow an attacker to remotely execute arbitrary commands on the victim's computer.
This commit is contained in:
Don HO 2019-01-14 20:20:19 +01:00
parent fd32585c14
commit 0f936707a2
2 changed files with 2 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
PowerEditor/src/NppCommands.cpp
View File

@ -90,7 +90,7 @@ void Notepad_plus::command(int id)
case IDM_FILE_OPEN_CMD: case IDM_FILE_OPEN_CMD:
{ {
Command cmd(TEXT("cmd /K cd /d $(CURRENT_DIRECTORY)")); Command cmd(TEXT("cmd /K cd /d \"$(CURRENT_DIRECTORY)\""));
cmd.run(_pPublicInterface->getHSelf()); cmd.run(_pPublicInterface->getHSelf());
} }
break; break;

2
PowerEditor/src/WinControls/FileBrowser/fileBrowser.cpp
View File

@ -688,7 +688,7 @@ void FileBrowser::popupMenuCmd(int cmdID)
if (::PathFileExists(path.c_str())) if (::PathFileExists(path.c_str()))
{ {
TCHAR cmdStr[1024]; TCHAR cmdStr[1024];
wsprintf(cmdStr, TEXT("cmd /K cd /d %s"), path.c_str()); wsprintf(cmdStr, TEXT("cmd /K cd /d \"%s\""), path.c_str());
Command cmd(cmdStr); Command cmd(cmdStr);
cmd.run(nullptr); cmd.run(nullptr);
} }