Conversation

Notices

Embed this notice
Lemmy (lemmydev@mastodon.social)'s status on Wednesday, 07-Feb-2024 21:32:22 JST Lemmy
in reply to
- :mima_rule: Mima-sama
@mima @SinclairSpeccy That vulnerability was fixed on the very next day after it was reported.
https://join-lemmy.org/news/2023-07-11_-_Lemmy_Release_v0.18.2
If you want to hate on Lemmy, at least find a good reason first.

In conversation Wednesday, 07-Feb-2024 21:32:22 JST from mastodon.social permalink
- Embed this notice
  :mima_rule: Mima-sama (mima@makai.chaotic.ninja)'s status on Wednesday, 07-Feb-2024 21:32:25 JST :mima_rule: Mima-sama
  
  @SinclairSpeccy@oldbytes.space
  
  https://github.com/LemmyNet/lemmy-ui/issues/1895
  https://web.archive.org/web/20231228012647/https://sh.itjust.works/post/923025
  
  You can compare your Lemmy instance's CSP with #Raddle, which should be the gold standard for link aggregators: https://observatory.mozilla.org/analyze/raddle.me
  In conversation Wednesday, 07-Feb-2024 21:32:25 JST permalink
  Attachments
  1. Domain not in remote thumbnail source whitelist: opengraph.githubassets.com
    
    Possible XSS attack · Issue #1895 · LemmyNet/lemmy-ui
    
    Requirements This is a bug report, and if not, please post to https://lemmy.ml/c/lemmy_support instead. Please check to see if this issue already exists. It's a single bug. Do not report multiple b...
  2. Domain not in remote thumbnail source whitelist: web.archive.org
    
    (URGENT) Lemmy has an XSS vulnerability in the tagline, the sidebar and in the legal information field - sh.itjust.works
    
    # DO NOT OPEN THE “LEGAL” PAGE — lemmy.world is a victim of an XSS attack right now and the hacker simply injected a JavaScript redirection into the sidebar. It appears the Lemmy backend does not escape HTML in the main sidebar. Not sure if this is also true for community sidebars. [https://sh.itjust.works/pictrs/image/707c0f16-3d5c-4888-b865-34228d968ee6.png] EDIT: the exploit is also in the tagline that appears on top of the main feed for status updates, like the following one for SDF Chatter: [https://sh.itjust.works/pictrs/image/2dc8838f-4611-4b62-92d2-ab45d7b1c560.png] [https://sh.itjust.works/pictrs/image/9195ec9c-166e-4190-a991-26d218089602.png] EDIT 2: The legal information field also has that exploit, so that when you go to the “Legal” page it shows the HTML unescaped, but fortunately (for now) he’s using double-quotes. "legal_information":" ![\" onload=\"if(localStorage.getItem(`h`) != `true`){document.body.innerHTML = `\u003Ch1\u003ESite has been seized by Reddit for copyright infringment\u003C\u002Fh1\u003E`; setTimeout(() =\u003E {window.location.href = `https:\u002F\u002Flemmy.world\u002Fpictrs\u002Fimage\u002F7aa772b7-9416-45d1-805b-36ec21be9f66.mp4`}, 10000)}\"](https:\u002F\u002Flemmy.world\u002Fpictrs\u002Fimage\u002F66ca36df-4ada-47b3-9169-01870d8fb0ac.png \"lw\")
  3. No result found on File_thumbnail lookup.
    
    Mozilla Observatory
    
    from {{ AUTHOR }}
    
    The Mozilla Observatory is a project designed to help developers, system administrators, and security professionals configure their sites safely and securely.

Public

Conversation

Notices

Feeds