AlmightySnoo II šŸ¢Jul 10, 2023

(URGENT) Lemmy has an XSS vulnerability in the sidebar

https://sh.itjust.works/post/923025

(URGENT) Lemmy has an XSS vulnerability in the tagline, the sidebar and in the legal information field - sh.itjust.works

# DO NOT OPEN THE ā€œLEGALā€ PAGE ā€” lemmy.world is a victim of an XSS attack right now and the hacker simply injected a JavaScript redirection into the sidebar. It appears the Lemmy backend does not escape HTML in the main sidebar. Not sure if this is also true for community sidebars. [https://sh.itjust.works/pictrs/image/707c0f16-3d5c-4888-b865-34228d968ee6.png] EDIT: the exploit is also in the tagline that appears on top of the main feed for status updates, like the following one for SDF Chatter: [https://sh.itjust.works/pictrs/image/2dc8838f-4611-4b62-92d2-ab45d7b1c560.png] [https://sh.itjust.works/pictrs/image/9195ec9c-166e-4190-a991-26d218089602.png] EDIT 2: The legal information field also has that exploit, so that when you go to the ā€œLegalā€ page it shows the HTML unescaped, but fortunately (for now) heā€™s using double-quotes. "legal_information":" ![\" onload=\"if(localStorage.getItem(`h`) != `true`){document.body.innerHTML = `\u003Ch1\u003ESite has been seized by Reddit for copyright infringment\u003C\u002Fh1\u003E`; setTimeout(() =\u003E {window.location.href = `https:\u002F\u002Flemmy.world\u002Fpictrs\u002Fimage\u002F7aa772b7-9416-45d1-805b-36ec21be9f66.mp4`}, 10000)}\"](https:\u002F\u002Flemmy.world\u002Fpictrs\u002Fimage\u002F66ca36df-4ada-47b3-9169-01870d8fb0ac.png \"lw\")

Show threadMuddybulldogJul 10, 2023

Not sure if itā€™s actually XSS. Lemmy.world did have an admin account compromise so it couldā€™ve been done locally.

It actually looks like itā€™s being propagated via comments. I received more than a handful from lemmy.world and they were in the process of deleting them before they went dark. I nuked the remaining one by hand but you can see that lemmy.blahaj.zone still has the same few remainingā€¦ lemmy.blahaj.zone/search?q=onload%3D&type=All&lisā€¦

Show threadAlmightySnoo II šŸ¢Jul 10, 2023

wow youā€™re right, so itā€™s not just sidebars, itā€™s the whole Markdown parser:

Show threadcppJul 10, 2023
This seems like a really basic vulnerability that whoever wrote the code to do that probably should have been aware of. It concerns be about the security of the rest of Lemmy if theyā€™re making such basic errors.
Show threadsudneo

Blaming culture does not help with vulnerability disclosure. Vulnerabilities do happen and will happen again.

Writing a parser is not trivial and remember that it was a tiny project until a month ago.

Jul 10, 2023 at 5:51amWeb
Show threadpfannkuchen_gesichtJul 10, 2023
Trying to blame is indeed of little help here right now. But it also worries me that such a basic vulnerability exists in the first place. Itā€™s like the #1 rule to not trust user-input. I hope this is the only such trivial one and we wonā€™t wake up to someone exploiting an SQL injection next.
Show threadsudneoJul 10, 2023

Honestly it was not trivial, the custom emojis in the markdown parser seems to be vulnerable. Of course everything should be sanitized, but in practice there are cases where itā€™s hard to make a proper sanitization while retaining features to let users write weird stuff. This is not the case of ā€œvalidate a usernameā€ that you know very well which regex to use and which character space.

I would actually say that this vulnerability should have been prevented using proper cookie security, which should make it impossible to steal the session via XSS.

I do acknowledge though that itā€™s not easy to take care of all of this when itā€™s 2 people working on everything (from design to frontend, passing for deployment etc.), especially if there are no specific competencies in appsec.