What is XSS?

Cross-site scripting (XSS) is an exploit where the attacker attaches code onto a legitimate website that will execute when the victim loads the website. That malicious code can be inserted in several ways. Most popularly, it is either added to the end of a url or posted directly onto a page that displays user-generated content. In more technical terms, cross-site scripting is a client-side code injection attack. https://www.cloudflare.com/learning/security/threats/cross-site-scripting/

Impact

One-click Lemmy account compromise by social engineering users to click your posts URL.

Reproduction

Lemmy does not properly sanitize URI’s on posts leading to cross-site scripting. You can see this working in action by clicking the “link” attached to this post on the web client.

To recreate, simply create a new post with the URL field set to: javascript:alert(1)//

Patching

Adding filtering to block javascript: and data: URI’s seems like the easiest approach.

  • terribleplan@lemmy.nrd.li
    link
    fedilink
    English
    arrow-up
    12
    arrow-down
    1
    ·
    1 year ago

    Damn… seems like there should be filtering to only allow http: and https: URIs…

    Did you try the security email on github? I sent a vulnerability (that actually is way fucking worse than I thought given this issue) over a week ago and have heard nothing, so will be posting publicly soon.

    • terribleplan@lemmy.nrd.li
      link
      fedilink
      English
      arrow-up
      13
      arrow-down
      2
      ·
      1 year ago

      Holy shit holy shit holy shit. Serious vulnerability confirmed. Combined with the issue(s) I have tried to report this is insane. I just tested this (and purged it so as not to publicly disclose just yet). This is really bad.

        • Dusty@l.dustybeer.com
          link
          fedilink
          English
          arrow-up
          10
          arrow-down
          1
          ·
          1 year ago

          If you find a way to disclose vulnerabilities without being ghosted by Lemmy developers: update me.

          How have you been “ghosted by Lemmy developers” especially if you “do not use GitHub

          • terribleplan@lemmy.nrd.li
            link
            fedilink
            English
            arrow-up
            7
            ·
            1 year ago

            Yeah, I just wrote this up as a bug on github and added in that I tried to email them and to please get in contact about the other thing. Hopefully they see it. I can understand checking that email being overlooked considering how busy they likely are given the sudden influx and scaling issues.

            • foo@sh.itjust.works
              link
              fedilink
              English
              arrow-up
              5
              ·
              1 year ago

              It’s been a bit of a busy week for them. Maybe you can cut them some slack and try again?

        • terribleplan@lemmy.nrd.li
          link
          fedilink
          English
          arrow-up
          8
          arrow-down
          1
          ·
          1 year ago

          Yeah, I found something that was “holy shit this is bad if someone finds a way to do X” and tried to report that but didn’t dig any deeper. This is X.