382
(URGENT) Lemmy has an XSS vulnerability in the tagline, the sidebar and in the legal information field
(sh.itjust.works)
DO NOT OPEN THE "LEGAL" PAGE
lemmy.world is a victim of an XSS attack right now and the hacker simply injected a JavaScript redirection into the sidebar.
It appears the Lemmy backend does not escape HTML in the main sidebar. Not sure if this is also true for community sidebars.
EDIT:
the exploit is also in the tagline that appears on top of the main feed for status updates, like the following one for SDF Chatter:
EDIT 2:
The legal information field also has that exploit, so that when you go to the "Legal" page it shows the HTML unescaped, but fortunately (for now) he's using double-quotes.
"legal_information":" ![\" onload=\"if(localStorage.getItem(`h`) != `true`){document.body.innerHTML = `\u003Ch1\u003ESite has been seized by Reddit for copyright infringment\u003C\u002Fh1\u003E`; setTimeout(() =\u003E {window.location.href = `https:\u002F\u002Flemmy.world\u002Fpictrs\u002Fimage\u002F7aa772b7-9416-45d1-805b-36ec21be9f66.mp4`}, 10000)}\"](https:\u002F\u002Flemmy.world\u002Fpictrs\u002Fimage\u002F66ca36df-4ada-47b3-9169-01870d8fb0ac.png \"lw\")
@muddybulldog @AlmightySnoo It seems odd that like, beehaw, lemmy.world, and blahaj all went down together.
Beehaw did not get hacked, they went offline until it is fixed.
That checks out, beehaw would take an abundance of caution.
I restored a database snapshot from a couple hours ago. That jives with what I'm seeing.
what I find curious is how the quotes got in there without being escaped, I kept trying to reproduce that with comment requests and I couldn't
Which table/columns am I looking at here?