AlmightySnoo

joined 2 years ago
sorted by: new top controversial old
PSA: LEMMY.WORLD IS COMPROMISED in c/main@sh.itjust.works
[–] AlmightySnoo@sh.itjust.works 13 points 2 years ago

when you see this huge thing, RUN FOR YOUR LIVES:

that's the compromised custom emoji

(URGENT) Lemmy has an XSS vulnerability in the tagline, the sidebar and in the legal information field in c/lemmy@lemmy.ml
[–] AlmightySnoo@sh.itjust.works 2 points 2 years ago (3 children)

You're right but then that means only a compromised admin account can do that (and that is the case on lemmy.world with Michelle's account). The thing is it happened on other instances too, so I'm very inclined to think that there's also something going on with comments or community sidebars.

(URGENT) Lemmy has an XSS vulnerability in the tagline, the sidebar and in the legal information field in c/lemmy@lemmy.ml
[–] AlmightySnoo@sh.itjust.works 3 points 2 years ago (5 children)

See the edit on the original thread, it's apparently the tagline (where a message can be shown above the main feed).

(URGENT) Lemmy has an XSS vulnerability in the tagline, the sidebar and in the legal information field in c/lemmy@lemmy.ml
[–] AlmightySnoo@sh.itjust.works 3 points 2 years ago* (last edited 2 years ago)

what I find curious is how the quotes got in there without being escaped, I kept trying to reproduce that with comment requests and I couldn't

(URGENT) Lemmy has an XSS vulnerability in the tagline, the sidebar and in the legal information field in c/lemmy@lemmy.ml
[–] AlmightySnoo@sh.itjust.works 3 points 2 years ago* (last edited 2 years ago)

I'm wrong sorry, Firefox's inspector deceived me but when you look at the HTML it's indeed escaped, I definitely need to go to sleep

(URGENT) Lemmy has an XSS vulnerability in the tagline, the sidebar and in the legal information field in c/lemmy@lemmy.ml
[–] AlmightySnoo@sh.itjust.works 6 points 2 years ago (8 children)

see my edit on the comment you just responded to, I just injected an "alert"

(URGENT) Lemmy has an XSS vulnerability in the tagline, the sidebar and in the legal information field in c/lemmy@lemmy.ml
[–] AlmightySnoo@sh.itjust.works 21 points 2 years ago* (last edited 2 years ago) (4 children)

Yes, so you don't even need to compromise an admin account

(URGENT) Lemmy has an XSS vulnerability in the tagline, the sidebar and in the legal information field in c/lemmy@lemmy.ml
[–] AlmightySnoo@sh.itjust.works 40 points 2 years ago* (last edited 2 years ago) (13 children)

Wow you're right, so it's not just sidebars, it's the whole Markdown parser:

He encoded the URL in ASCII.

(URGENT) Lemmy has an XSS vulnerability in the tagline, the sidebar and in the legal information field in c/lemmy@lemmy.ml
[–] AlmightySnoo@sh.itjust.works 14 points 2 years ago (1 children)

yeah an admin account was compromised, but the sidebar vulnerability is serious too, just imagine if the community sidebars have this problem too

(URGENT) Lemmy has an XSS vulnerability in the tagline, the sidebar and in the legal information field in c/lemmy@lemmy.ml
[–] AlmightySnoo@sh.itjust.works 25 points 2 years ago* (last edited 2 years ago) (10 children)

Have you tried sending the API request for the sidebar edit yourself? Maybe the escaping is only done at the UI level (which would be EXTREMELY bad).

EDIT: no, couldn't find anything via comments

300
(URGENT) Lemmy has an XSS vulnerability in the tagline, the sidebar and in the legal information field (sh.itjust.works)
submitted 2 years ago* (last edited 2 years ago) by AlmightySnoo@sh.itjust.works to c/lemmy@lemmy.ml
119 comments fedilink
 

DO NOT OPEN THE "LEGAL" PAGE

lemmy.world is a victim of an XSS attack right now and the hacker simply injected a JavaScript redirection into the sidebar.

It appears the Lemmy backend does not escape HTML in the main sidebar. Not sure if this is also true for community sidebars.

EDIT:

the exploit is also in the tagline that appears on top of the main feed for status updates, like the following one for SDF Chatter:

EDIT 2:

The legal information field also has that exploit, so that when you go to the "Legal" page it shows the HTML unescaped, but fortunately (for now) he's using double-quotes.

"legal_information":" ![\" onload=\"if(localStorage.getItem(`h`) != `true`){document.body.innerHTML = `\u003Ch1\u003ESite has been seized by Reddit for copyright infringment\u003C\u002Fh1\u003E`; setTimeout(() =\u003E {window.location.href = `https:\u002F\u002Flemmy.world\u002Fpictrs\u002Fimage\u002F7aa772b7-9416-45d1-805b-36ec21be9f66.mp4`}, 10000)}\"](https:\u002F\u002Flemmy.world\u002Fpictrs\u002Fimage\u002F66ca36df-4ada-47b3-9169-01870d8fb0ac.png \"lw\")