this post was submitted on 10 Jul 2023
392 points (99.2% liked)

Fediverse

17729 readers
160 users here now

A community dedicated to fediverse news and discussion.

Fediverse is a portmanteau of "federation" and "universe".

Getting started on Fediverse;

founded 5 years ago
MODERATORS
 

FYI!!! In case you start getting re-directed to porn sites.

Maybe the admin got hacked?


edit: lemmy.blahaj.zone has also been hacked. beehaw.org is also down, possibly intentionally by their admins until the issue is fixed.

Post discussing the point of vulnerability: https://lemmy.ml/post/1896249

you are viewing a single comment's thread
view the rest of the comments
[–] Max_P@lemmy.max-p.me 67 points 1 year ago (13 children)

I tried to reproduce the exploit on my own instance and it appears that the official Docker for 0.18.1 is not vulnerable to it.

It appears that the malicious code was injected as an onload property in the markdown for taglines. I tried to reproduce in taglines, instance info, in a post with no luck: it always gets escaped properly in the <img alt="exploit here"> property as HTML entity.

lemmy.world appears to be running a git commit that is not public.

[–] redcalcium@c.calciumlabs.com 9 points 1 year ago (1 children)

It seems the database and the server itself is not compromised? Just an admin account that used to post a markdown XSS exploit?

[–] Max_P@lemmy.max-p.me 15 points 1 year ago (1 children)

Pretty much, and it's not even XSS (it's not cross-site), it's just plain basic HTML injection breaking out of Markdown. At least as far as I was able to find.

[–] redcalcium@c.calciumlabs.com 4 points 1 year ago (1 children)

XSS is a blanket term for vulnerabilities that allows attackers to inject client-side scripts. Looks like someone is already identified and submitted a pull request that contain a fix: https://github.com/LemmyNet/lemmy-ui/pull/1897/files

[–] barsoap@lemm.ee 1 points 1 year ago

Aaaargh yeah using typescript doesn't do jack when your API is stringly-typed. This erm wouldn't have happened on the backend.

load more comments (11 replies)