Jerry πŸ¦™πŸ’πŸ¦™Jul 10, 2023
Hi all. As a precautionary measure, I turned off infosec.pub until the fix for a serious vulnerability exploited on other instances is incorporated into a package I can deploy. There's no indication infosec.pub was hit, but I don't need that sort of headache this week. ❀️​
Show threadknown_as_bmfJul 10, 2023

@jerry do you know if this vulnerability is only in the front-end code ?

Not clear to me where this markdown parsing is happening.

Are you also vulnerable if you use a 3rd party client (Android App, wefwef...) ?

Show threadJerry πŸ¦™πŸ’πŸ¦™
@known_as_bmf it appears to be in lemmy-ui. It's the server that is vulnerable, not the people connecting to it.
Jul 10, 2023 at 11:17amWeb
Show threadknown_as_bmfJul 10, 2023

@jerry from what I could gather and my limited knowledge on how lemmy works, it appears to be an XSS injection vulnerability (executed client side, gathering JWT tokens and whatnot).

In my experience, the way the client renders the "poisoned" data is crucial for the attack to function properly.

That's why I was wondering if some 3rd party clients might be immune to it πŸ€”

Show threadJerry πŸ¦™πŸ’πŸ¦™Jul 10, 2023
@known_as_bmf ah - got it. Yes, if the admins only interact with the instance via an app that doesn’t render the content or otherwise doesn’t permit access tokens from being stolen, it should be less severe - the issue of course is all the non-admin users who access without an app, and that few (maybe none?) of those apps present admin functionality, meaning admins will be using the web interface. That’s a common situation, btw. None of the other software like Mastodon has a capable client that exposes admin functionality
Show threadknown_as_bmfJul 10, 2023
@jerry Thank you for your insight πŸ˜€