Lemmy Security Vulnerability - Cross-Site Scripting via post URL's.
Lemmy Security Vulnerability - Cross-Site Scripting via post URL's.
I tried what another user reported and it worked. I submitted a github issue as the security email seems to be unmonitored based on me trying to contact it (regarding a different issue) for over a week now.
Be careful about links you click in Lemmy, I guess.
cross-posted from: https://sh.itjust.works/post/774797
What is XSS?
Cross-site scripting (XSS) is an exploit where the attacker attaches code onto a legitimate website that will execute when the victim loads the website. That malicious code can be inserted in several ways. Most popularly, it is either added to the end of a url or posted directly onto a page that displays user-generated content. In more technical terms, cross-site scripting is a client-side code injection attack. https://www.cloudflare.com/learning/security/threats/cross-site-scripting/
Impact
One-click Lemmy account compromise by social engineering users to click your posts URL.
Reproduction
Lemmy does not properly sanitize URI's on posts leading to cross-site scripting. You can see this working in action by clicking the "link" attached to this post on the web client.
To recreate, simply create a new post with the URL field set to:
javascript:alert(1)//
Patching
Adding filtering to block
javascript:
anddata:
URI's seems like the easiest approach.