Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Critical Security Vulnerability: XSS in Post URL #1832

Closed
4 tasks done
henfredemars opened this issue Jul 6, 2023 · 3 comments
Closed
4 tasks done

Critical Security Vulnerability: XSS in Post URL #1832

henfredemars opened this issue Jul 6, 2023 · 3 comments
Labels
bug Something isn't working

Comments

@henfredemars
Copy link

Requirements

  • This is a bug report, and if not, please post to https://lemmy.ml/c/lemmy_support instead.
  • Please check to see if this issue already exists.
  • It's a single bug. Do not report multiple bugs in one issue.
  • It's a frontend issue, not a backend issue; Otherwise please create an issue on the backend repo instead.

Summary

Copied from post at https://sh.itjust.works/post/774797
I hope this will be useful here.

What is XSS?

Cross-site scripting (XSS) is an exploit where the attacker attaches code onto a legitimate website that will execute when the victim loads the website. That malicious code can be inserted in several ways. Most popularly, it is either added to the end of a url or posted directly onto a page that displays user-generated content. In more technical terms, cross-site scripting is a client-side code injection attack. https://www.cloudflare.com/learning/security/threats/cross-site-scripting/

Impact

One-click Lemmy account compromise by social engineering users to click your posts URL.

Reproduction

Lemmy does not properly sanitize URI’s on posts leading to cross-site scripting. You can see this working in action by clicking the “link” attached to this post on the web client.

To recreate, simply create a new post with the URL field set to: javascript:alert(1)//

Patching

Adding filtering to block javascript: and data: URI’s seems like the easiest approach.

Steps to Reproduce

  1. Create a new post with the URL field set to: javascript:alert(1).
  2. Click on the post. JS is executed.

Technical Details

N/A

Lemmy Instance Version

0.18.0?

Lemmy Instance URL

https://sh.itjust.works/post/774797
@henfredemars henfredemars added the bug Something isn't working label Jul 6, 2023
@henfredemars
Copy link
Author

It looks like this was just reported on the backend project where it likely belongs. Please excuse.

@necropola
Copy link

necropola commented Jul 6, 2023
edited
Loading

@henfredemars @SleeplessOne1917 I think this is still something which needs to be addressed in the UI, too.

The current PR LemmyNet/lemmy#3508 for issue LemmyNet/lemmy#3505 does not handle javascript in Post URLs which are already stored in the DB. Wouldn't it make sense to

  • sanitize data from the Backend/api before creating html output from it
  • and validate user data before writing it to the Backend/api?

@necropola
Copy link

https://www.w3.org/TR/activitypub/#security-sanitizing-content

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@necropola @henfredemars