this post was submitted on 06 Jul 2023
67 points (100.0% liked)

Lemmy

12572 readers
1 users here now

Everything about Lemmy; bugs, gripes, praises, and advocacy.

For discussion about the lemmy.ml instance, go to !meta@lemmy.ml.

founded 4 years ago
MODERATORS
 

I tried what another user reported and it worked. I submitted a github issue as the security email seems to be unmonitored based on me trying to contact it (regarding a different issue) for over a week now.

Be careful about links you click in Lemmy, I guess.

cross-posted from: https://sh.itjust.works/post/774797

What is XSS?

Cross-site scripting (XSS) is an exploit where the attacker attaches code onto a legitimate website that will execute when the victim loads the website. That malicious code can be inserted in several ways. Most popularly, it is either added to the end of a url or posted directly onto a page that displays user-generated content. In more technical terms, cross-site scripting is a client-side code injection attack. https://www.cloudflare.com/learning/security/threats/cross-site-scripting/

Impact

One-click Lemmy account compromise by social engineering users to click your posts URL.

Reproduction

Lemmy does not properly sanitize URI's on posts leading to cross-site scripting. You can see this working in action by clicking the "link" attached to this post on the web client.

To recreate, simply create a new post with the URL field set to: javascript:alert(1)//

Patching

Adding filtering to block javascript: and data: URI's seems like the easiest approach.

you are viewing a single comment's thread
view the rest of the comments
[โ€“] perviouslyiner@lemm.ee 1 points 1 year ago (1 children)

Patching: Allow only beginning with https:// (and maybe http://) might avoid related issues with any other protocols that the various browsers support?

[โ€“] terribleplan@lemmy.nrd.li 4 points 1 year ago

Agreed, I recommended filtering to only http(s) links in the github issue, I just made this x-post. I don't see a strong reason to let people link to weird things like file: and data:, or deeplink to installed apps on your computer/phone. Filtering the scheme to just http(s) is how Nutomic seems to have fixed it in the backend from what I can tell (I am not a rust dev).