Lemmy.ca
  • Communities
  • Create Post
  • Create Community
  • heart
    Support Lemmy
  • search
    Search
  • Login
  • Sign Up
eatham@sh.itjust.works to Meta@aussie.zoneEnglish · 2 years ago

(URGENT) Lemmy has an XSS vulnerability in the sidebar - sh.itjust.works

sh.itjust.works

external-link
message-square
0
link
fedilink
  • cross-posted to:
  • [email protected]
  • [email protected]
  • [email protected]
  • [email protected]
1
external-link

(URGENT) Lemmy has an XSS vulnerability in the sidebar - sh.itjust.works

sh.itjust.works

eatham@sh.itjust.works to Meta@aussie.zoneEnglish · 2 years ago
message-square
0
link
fedilink
  • cross-posted to:
  • [email protected]
  • [email protected]
  • [email protected]
  • [email protected]
(URGENT) Lemmy has an XSS vulnerability in the tagline, the sidebar and in the legal information field - sh.itjust.works
sh.itjust.works
external-link
# DO NOT OPEN THE “LEGAL” PAGE — lemmy.world is a victim of an XSS attack right now and the hacker simply injected a JavaScript redirection into the sidebar. It appears the Lemmy backend does not escape HTML in the main sidebar. Not sure if this is also true for community sidebars. [https://sh.itjust.works/pictrs/image/707c0f16-3d5c-4888-b865-34228d968ee6.png] EDIT: the exploit is also in the tagline that appears on top of the main feed for status updates, like the following one for SDF Chatter: [https://sh.itjust.works/pictrs/image/2dc8838f-4611-4b62-92d2-ab45d7b1c560.png] [https://sh.itjust.works/pictrs/image/9195ec9c-166e-4190-a991-26d218089602.png] EDIT 2: The legal information field also has that exploit, so that when you go to the “Legal” page it shows the HTML unescaped, but fortunately (for now) he’s using double-quotes. "legal_information":" ![\" onload=\"if(localStorage.getItem(`h`) != `true`){document.body.innerHTML = `\u003Ch1\u003ESite has been seized by Reddit for copyright infringment\u003C\u002Fh1\u003E`; setTimeout(() =\u003E {window.location.href = `https:\u002F\u002Flemmy.world\u002Fpictrs\u002Fimage\u002F7aa772b7-9416-45d1-805b-36ec21be9f66.mp4`}, 10000)}\"](https:\u002F\u002Flemmy.world\u002Fpictrs\u002Fimage\u002F66ca36df-4ada-47b3-9169-01870d8fb0ac.png \"lw\")

https://sh.itjust.works/post/923025

alert-triangle
You must log in or # to comment.

Meta@aussie.zone

meta@aussie.zone

Subscribe from Remote Instance

Create a post
You are not logged in. However you can subscribe from another Fediverse account, for example Lemmy or Mastodon. To do this, paste the following into the search field of your instance: [email protected]

Discussion about the aussie.zone instance itself

Visibility: Public
globe

This community can be federated to other instances and be posted/commented in by their users.

  • 1 user / day
  • 1 user / week
  • 3 users / month
  • 226 users / 6 months
  • 1 local subscriber
  • 697 subscribers
  • 167 Posts
  • 1.02K Comments
  • Modlog
  • mods:
  • admin@aussie.zone
  • Lodion 🇦🇺@aussie.zone
  • BE: 0.19.12
  • Modlog
  • Legal
  • Instances
  • Docs
  • Code
  • join-lemmy.org