this post was submitted on 10 Jul 2023
392 points (99.2% liked)
Fediverse
17729 readers
159 users here now
A community dedicated to fediverse news and discussion.
Fediverse is a portmanteau of "federation" and "universe".
Getting started on Fediverse;
- What is the fediverse?
- Fediverse Platforms
- How to run your own community
founded 5 years ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
GitHub PR fixing the bug: https://github.com/LemmyNet/lemmy-ui/pull/1897/files
If your instance has custom emojis defined, this is exploitable everywhere Markdown is available. It is NOT restricted to admins, but can be used to steal an admin's JWT, which then lets the attacker get into that admin's account which can then spread the exploit further by putting it somewhere where it's rendered on every single page and then deface the site.
If your instance doesn't have any custom emojis, you are safe, the exploit requires custom emojis to trigger the bad code branch.
I see a new lemmy-ui docker image has been pushed an hour ago, tagged
0.18.2-rc.1
. Anyone know if it fixed the issue?Edit: yep, it's fixed: https://github.com/LemmyNet/lemmy-ui/commit/e80bcf53acb8ce25ed5ef6b7eb16b90f0b07e8f1
But won't custom emojis from remote instances still trigger the exploit?
Apparently the custom emojis are rendered as static images when federated to outside instances so it's clean.
I'm not particularly familiar with XSS but I'm curious how a frontend exploit can compromise an instance?
Presumably the injected XSS stores the admin's JWT somewhere for the exploiter?
Then using that JWT they can effectively login as the admin which gives them access to whatever admin dashboard there is, but does that actually compromise the backend at all?
edit: for anyone curious there's a bit of a breakdown of how it works here: https://feddit.win/comment/244427