What is XSS?

Cross-site scripting (XSS) is an exploit where the attacker attaches code onto a legitimate website that will execute when the victim loads the website. That malicious code can be inserted in several ways. Most popularly, it is either added to the end of a url or posted directly onto a page that displays user-generated content. In more technical terms, cross-site scripting is a client-side code injection attack. https://www.cloudflare.com/learning/security/threats/cross-site-scripting/

Impact

One-click Lemmy account compromise by social engineering users to click your posts URL.

Reproduction

Lemmy does not properly sanitize URI’s on posts leading to cross-site scripting. You can see this working in action by clicking the “link” attached to this post on the web client.

To recreate, simply create a new post with the URL field set to: javascript:alert(1)//

Patching

Adding filtering to block javascript: and data: URI’s seems like the easiest approach.

  • terribleplan
    link
    fedilink
    English
    61 year ago

    Yeah, I just wrote this up as a bug on github and added in that I tried to email them and to please get in contact about the other thing. Hopefully they see it. I can understand checking that email being overlooked considering how busy they likely are given the sudden influx and scaling issues.

      • terribleplan
        link
        fedilink
        English
        2
        edit-2
        1 year ago

        I tried to email that previously with a different issue and got no response. I was planning to post publicly (on github) about a different issue on Friday, but that other issue is now way too severe to do that now given how this can be leveraged to exploit what I found.