this post was submitted on 10 Jul 2023
382 points (99.2% liked)

Lemmy

12510 readers
11 users here now

Everything about Lemmy; bugs, gripes, praises, and advocacy.

For discussion about the lemmy.ml instance, go to !meta@lemmy.ml.

founded 4 years ago
MODERATORS
nutomic@lemmy.ml
382
(URGENT) Lemmy has an XSS vulnerability in the tagline, the sidebar and in the legal information field (sh.itjust.works)
submitted 1 year ago* (last edited 1 year ago) by AlmightySnoo@sh.itjust.works to c/lemmy@lemmy.ml
129 comments fedilink hide all child comments
 

DO NOT OPEN THE "LEGAL" PAGE

lemmy.world is a victim of an XSS attack right now and the hacker simply injected a JavaScript redirection into the sidebar.

It appears the Lemmy backend does not escape HTML in the main sidebar. Not sure if this is also true for community sidebars.

EDIT:

the exploit is also in the tagline that appears on top of the main feed for status updates, like the following one for SDF Chatter:

EDIT 2:

The legal information field also has that exploit, so that when you go to the "Legal" page it shows the HTML unescaped, but fortunately (for now) he's using double-quotes.

"legal_information":" ![\" onload=\"if(localStorage.getItem(`h`) != `true`){document.body.innerHTML = `\u003Ch1\u003ESite has been seized by Reddit for copyright infringment\u003C\u002Fh1\u003E`; setTimeout(() =\u003E {window.location.href = `https:\u002F\u002Flemmy.world\u002Fpictrs\u002Fimage\u002F7aa772b7-9416-45d1-805b-36ec21be9f66.mp4`}, 10000)}\"](https:\u002F\u002Flemmy.world\u002Fpictrs\u002Fimage\u002F66ca36df-4ada-47b3-9169-01870d8fb0ac.png \"lw\")
you are viewing a single comment's thread
view the rest of the comments
[–] muddybulldog@mylemmy.win 71 points 1 year ago* (last edited 1 year ago) (22 children)

Not sure if it's actually XSS. Lemmy.world did have an admin account compromise so it could've been done locally.

It actually looks like it may be being propagated via comments. I received more than a handful from lemmy.world and it appears they were in the process of deleting them before they went dark. I nuked the remaining ones by hand but you can see that lemmy.blahaj.zone still has the same few remaining... https://lemmy.blahaj.zone/search?q=onload%3D&type=All&listingType=All&page=1&sort=TopAll

[–] urda@mastodon.social 7 points 1 year ago (2 children)

@muddybulldog @AlmightySnoo It seems odd that like, beehaw, lemmy.world, and blahaj all went down together.

[–] BlackRose@slrpnk.net 15 points 1 year ago (1 children)

Beehaw did not get hacked, they went offline until it is fixed.

[–] Rentlar@lemmy.ca 11 points 1 year ago

That checks out, beehaw would take an abundance of caution.

[–] muddybulldog@mylemmy.win 7 points 1 year ago (2 children)

I restored a database snapshot from a couple hours ago. That jives with what I'm seeing.

[–] AlmightySnoo@sh.itjust.works 3 points 1 year ago* (last edited 1 year ago)

what I find curious is how the quotes got in there without being escaped, I kept trying to reproduce that with comment requests and I couldn't

[–] usernotfound@lemmy.ml 2 points 1 year ago

Which table/columns am I looking at here?

load more comments (19 replies)