AlmightySnoo II šŸ¢Jul 10, 2023

(URGENT) Lemmy has an XSS vulnerability in the sidebar

https://sh.itjust.works/post/923025

(URGENT) Lemmy has an XSS vulnerability in the tagline, the sidebar and in the legal information field - sh.itjust.works

# DO NOT OPEN THE ā€œLEGALā€ PAGE ā€” lemmy.world is a victim of an XSS attack right now and the hacker simply injected a JavaScript redirection into the sidebar. It appears the Lemmy backend does not escape HTML in the main sidebar. Not sure if this is also true for community sidebars. [https://sh.itjust.works/pictrs/image/707c0f16-3d5c-4888-b865-34228d968ee6.png] EDIT: the exploit is also in the tagline that appears on top of the main feed for status updates, like the following one for SDF Chatter: [https://sh.itjust.works/pictrs/image/2dc8838f-4611-4b62-92d2-ab45d7b1c560.png] [https://sh.itjust.works/pictrs/image/9195ec9c-166e-4190-a991-26d218089602.png] EDIT 2: The legal information field also has that exploit, so that when you go to the ā€œLegalā€ page it shows the HTML unescaped, but fortunately (for now) heā€™s using double-quotes. "legal_information":" ![\" onload=\"if(localStorage.getItem(`h`) != `true`){document.body.innerHTML = `\u003Ch1\u003ESite has been seized by Reddit for copyright infringment\u003C\u002Fh1\u003E`; setTimeout(() =\u003E {window.location.href = `https:\u002F\u002Flemmy.world\u002Fpictrs\u002Fimage\u002F7aa772b7-9416-45d1-805b-36ec21be9f66.mp4`}, 10000)}\"](https:\u002F\u002Flemmy.world\u002Fpictrs\u002Fimage\u002F66ca36df-4ada-47b3-9169-01870d8fb0ac.png \"lw\")

Show threadš˜‹š˜Ŗš˜³š˜¬Jul 10, 2023
Not sanitizing user input is plain stupid. There is no excuse. Ever.
Show threadCyclohexaneJul 10, 2023
Let us see you make a better lemmy then
Show threadstappernJul 10, 2023
Weird takeā€¦
Show threadCyclohexaneJul 10, 2023

Itā€™s convenient to completely discredit a large piece of software taking years to develop as ā€œinsaneā€ because they made a mistake (one of the most common security mistakes in the software world) when you donā€™t recognize the difficulty and wouldnā€™t be able to make something 10% as big.

And frankly it sounds silly.

Show threadcrystalJul 11, 2023
The reason itā€™s perceived that way is because code injection in user input, is (one of) the most obvious, well-known, and easiest attacks to do, while at the same time being super easy to prevent.
Show threadCyclohexaneJul 12, 2023

It is one of the most well known, but it also is easy to miss, evidently from how often it happens despite it being very well known.

Itā€™s very easy to fix once itā€™s known, but it is easy to go unnoticed.

Unless you somehow think that most app developers are incompetent, in which case I ask again: show me your better version.

Show threadcrystal
I can confidently say that in not a single company project I did frontend development for did I ever leave user input unsanitized.
Jul 12, 2023 at 2:42amWeb
Show threadCyclohexaneJul 12, 2023
If you are doubting that this is one of the most frequently occurring security issues, I urge to search the web about it. Itā€™s very easy to verify my claim.