Fediverse

17729 readers

150 users here now

A community dedicated to fediverse news and discussion.

Fediverse is a portmanteau of "federation" and "universe".

Getting started on Fediverse;

What is the fediverse?
- Short ver.
- Full ver.
Fediverse Platforms
How to run your own community

founded 5 years ago

MODERATORS

deadsuperhero@lemmy.ml

wakest@lemmy.ml

392

PSA: Lemmy.world has been compromised! (lemmy.ml)

submitted 1 year ago* (last edited 1 year ago) by G59@lemmy.ml to c/fediverse@lemmy.ml

134 comments fedilink hide all child comments

FYI!!! In case you start getting re-directed to porn sites.

Maybe the admin got hacked?

edit: lemmy.blahaj.zone has also been hacked. beehaw.org is also down, possibly intentionally by their admins until the issue is fixed.

Post discussing the point of vulnerability: https://lemmy.ml/post/1896249

you are viewing a single comment's thread
view the rest of the comments

[–] Max_P@lemmy.max-p.me 36 points 1 year ago (4 children)

GitHub PR fixing the bug: https://github.com/LemmyNet/lemmy-ui/pull/1897/files

If your instance has custom emojis defined, this is exploitable everywhere Markdown is available. It is NOT restricted to admins, but can be used to steal an admin's JWT, which then lets the attacker get into that admin's account which can then spread the exploit further by putting it somewhere where it's rendered on every single page and then deface the site.

If your instance doesn't have any custom emojis, you are safe, the exploit requires custom emojis to trigger the bad code branch.

[–] redcalcium@c.calciumlabs.com 5 points 1 year ago* (last edited 1 year ago)

I see a new lemmy-ui docker image has been pushed an hour ago, tagged 0.18.2-rc.1. Anyone know if it fixed the issue?

Edit: yep, it's fixed: https://github.com/LemmyNet/lemmy-ui/commit/e80bcf53acb8ce25ed5ef6b7eb16b90f0b07e8f1

load more comments (3 replies)