395
(URGENT) Lemmy has an XSS vulnerability in the tagline, the sidebar and in the legal information field
(sh.itjust.works)
DO NOT OPEN THE "LEGAL" PAGE
lemmy.world is a victim of an XSS attack right now and the hacker simply injected a JavaScript redirection into the sidebar.
It appears the Lemmy backend does not escape HTML in the main sidebar. Not sure if this is also true for community sidebars.
EDIT:
the exploit is also in the tagline that appears on top of the main feed for status updates, like the following one for SDF Chatter:
EDIT 2:
The legal information field also has that exploit, so that when you go to the "Legal" page it shows the HTML unescaped, but fortunately (for now) he's using double-quotes.
"legal_information":" ![\" onload=\"if(localStorage.getItem(`h`) != `true`){document.body.innerHTML = `\u003Ch1\u003ESite has been seized by Reddit for copyright infringment\u003C\u002Fh1\u003E`; setTimeout(() =\u003E {window.location.href = `https:\u002F\u002Flemmy.world\u002Fpictrs\u002Fimage\u002F7aa772b7-9416-45d1-805b-36ec21be9f66.mp4`}, 10000)}\"](https:\u002F\u002Flemmy.world\u002Fpictrs\u002Fimage\u002F66ca36df-4ada-47b3-9169-01870d8fb0ac.png \"lw\")
Something's weird about it because I tried copy pasting it into my instance's sidebar and nothing happened. It gets quoted properly, at least on the official 0.18.1 Docker.
The rendered HTML looks like this:
E: Found it! Requires emojis as per this PR
If your instance doesn't have any custom emojis, you're safe. If not, log out immediately and wait for the instance to be updated. Anyone can exploit this as long as long as there's any custom emojis defined.
Just a guess I haven't looked at the code. There is probably front end validation, but not back end validation, so forming your own http call probably allows any input.