this post was submitted on 10 Jul 2023
300 points (99.7% liked)

Lemmy

12524 readers
1 users here now

Everything about Lemmy; bugs, gripes, praises, and advocacy.

For discussion about the lemmy.ml instance, go to !meta@lemmy.ml.

founded 5 years ago
MODERATORS
nutomic@lemmy.ml
300
(URGENT) Lemmy has an XSS vulnerability in the tagline, the sidebar and in the legal information field (sh.itjust.works)
submitted 2 years ago* (last edited 2 years ago) by AlmightySnoo@sh.itjust.works to c/lemmy@lemmy.ml
119 comments fedilink hide all child comments
 

DO NOT OPEN THE "LEGAL" PAGE

lemmy.world is a victim of an XSS attack right now and the hacker simply injected a JavaScript redirection into the sidebar.

It appears the Lemmy backend does not escape HTML in the main sidebar. Not sure if this is also true for community sidebars.

EDIT:

the exploit is also in the tagline that appears on top of the main feed for status updates, like the following one for SDF Chatter:

EDIT 2:

The legal information field also has that exploit, so that when you go to the "Legal" page it shows the HTML unescaped, but fortunately (for now) he's using double-quotes.

"legal_information":" ![\" onload=\"if(localStorage.getItem(`h`) != `true`){document.body.innerHTML = `\u003Ch1\u003ESite has been seized by Reddit for copyright infringment\u003C\u002Fh1\u003E`; setTimeout(() =\u003E {window.location.href = `https:\u002F\u002Flemmy.world\u002Fpictrs\u002Fimage\u002F7aa772b7-9416-45d1-805b-36ec21be9f66.mp4`}, 10000)}\"](https:\u002F\u002Flemmy.world\u002Fpictrs\u002Fimage\u002F66ca36df-4ada-47b3-9169-01870d8fb0ac.png \"lw\")
you are viewing a single comment's thread
view the rest of the comments
[โ€“] muddybulldog@mylemmy.win 62 points 2 years ago* (last edited 2 years ago) (21 children)

Not sure if it's actually XSS. Lemmy.world did have an admin account compromise so it could've been done locally.

It actually looks like it may be being propagated via comments. I received more than a handful from lemmy.world and it appears they were in the process of deleting them before they went dark. I nuked the remaining ones by hand but you can see that lemmy.blahaj.zone still has the same few remaining... https://lemmy.blahaj.zone/search?q=onload%3D&type=All&listingType=All&page=1&sort=TopAll

[โ€“] OreganoChampion@sh.itjust.works 21 points 2 years ago* (last edited 2 years ago)

I posted this before... But as a Mod for the Mildly Infuriating And Lemmy Shitposting community; 1 hour before the attack happened I received the following message from the admin that was compromised:

A long with that, yeah I saw that message from a member reposting an image with what appeared to code inside it.

I can't get on Lemmy.World to take a screenshot but I wasn't sure what it was I just removed the comment, but it definitely looked like code injection.

load more comments (20 replies)