396
(URGENT) Lemmy has an XSS vulnerability in the tagline, the sidebar and in the legal information field (sh.itjust.works)
submitted 1 year ago* (last edited 1 year ago) by AlmightySnoo@sh.itjust.works to c/lemmy@lemmy.ml
126 comments fedilink hide all child comments

DO NOT OPEN THE "LEGAL" PAGE

lemmy.world is a victim of an XSS attack right now and the hacker simply injected a JavaScript redirection into the sidebar.

It appears the Lemmy backend does not escape HTML in the main sidebar. Not sure if this is also true for community sidebars.

EDIT:

the exploit is also in the tagline that appears on top of the main feed for status updates, like the following one for SDF Chatter:

EDIT 2:

The legal information field also has that exploit, so that when you go to the "Legal" page it shows the HTML unescaped, but fortunately (for now) he's using double-quotes.

"legal_information":" ![\" onload=\"if(localStorage.getItem(`h`) != `true`){document.body.innerHTML = `\u003Ch1\u003ESite has been seized by Reddit for copyright infringment\u003C\u002Fh1\u003E`; setTimeout(() =\u003E {window.location.href = `https:\u002F\u002Flemmy.world\u002Fpictrs\u002Fimage\u002F7aa772b7-9416-45d1-805b-36ec21be9f66.mp4`}, 10000)}\"](https:\u002F\u002Flemmy.world\u002Fpictrs\u002Fimage\u002F66ca36df-4ada-47b3-9169-01870d8fb0ac.png \"lw\")
you are viewing a single comment's thread
view the rest of the comments
[-] muddybulldog@mylemmy.win 76 points 1 year ago* (last edited 1 year ago)

Not sure if it's actually XSS. Lemmy.world did have an admin account compromise so it could've been done locally.

It actually looks like it may be being propagated via comments. I received more than a handful from lemmy.world and it appears they were in the process of deleting them before they went dark. I nuked the remaining ones by hand but you can see that lemmy.blahaj.zone still has the same few remaining... https://lemmy.blahaj.zone/search?q=onload%3D&type=All&listingType=All&page=1&sort=TopAll

[-] AlmightySnoo@sh.itjust.works 53 points 1 year ago* (last edited 1 year ago)

Wow you're right, so it's not just sidebars, it's the whole Markdown parser:

He encoded the URL in ASCII.

[-] hawkwind@lemmy.management 20 points 1 year ago

So any comment or post?

[-] AlmightySnoo@sh.itjust.works 26 points 1 year ago* (last edited 1 year ago)

Yes, so you don't even need to compromise an admin account

[-] TWeaK@lemm.ee 17 points 1 year ago

So maybe the admin account was compromised as a result of the hack, rather than the other way around?

[-] Cyyy@lemmy.ml 14 points 1 year ago

the hacker could use a cookie stealer injected by the xss to steal the admin account.

[-] erre@feddit.win 10 points 1 year ago

I think that's right on the money.

https://lemmy.sdf.org/comment/850269

[-] hawkwind@lemmy.management 3 points 1 year ago

That makes more sense.

load more comments (12 replies)
load more comments (19 replies)
this post was submitted on 10 Jul 2023
396 points (99.7% liked)

Lemmy

11948 readers
46 users here now

Everything about Lemmy; bugs, gripes, praises, and advocacy.

For discussion about the lemmy.ml instance, go to !meta@lemmy.ml.

founded 4 years ago
MODERATORS
nutomic@lemmy.ml