• Max-P@lemmy.max-p.me
    link
    fedilink
    English
    arrow-up
    80
    ·
    1 year ago

    I tried to reproduce the exploit on my own instance and it appears that the official Docker for 0.18.1 is not vulnerable to it.

    It appears that the malicious code was injected as an onload property in the markdown for taglines. I tried to reproduce in taglines, instance info, in a post with no luck: it always gets escaped properly in the <img alt="exploit here"> property as HTML entity.

    lemmy.world appears to be running a git commit that is not public.

    • CMahaff@lemmy.ml
      link
      fedilink
      English
      arrow-up
      41
      ·
      1 year ago

      I actually consider it good news that the redirection is happening this way (something that can be done just by having the lemmy credentials of an admin) vs something indicating they have access to the server itself.

      • maegul@lemmy.ml
        link
        fedilink
        English
        arrow-up
        31
        ·
        1 year ago

        Yep, same. It was also the most likely scenario.

        It looks like it was an individual admin getting hacked. Not good but not the worst. Most fallout will probably be whether their security practices were sufficient for an admin and whether lemmy has good enough contingencies for this sort of thing. Lemmy’s 2FA is probably a hot issue now though.

    • redcalcium@c.calciumlabs.com
      link
      fedilink
      English
      arrow-up
      11
      ·
      1 year ago

      It seems the database and the server itself is not compromised? Just an admin account that used to post a markdown XSS exploit?

      • Max-P@lemmy.max-p.me
        link
        fedilink
        English
        arrow-up
        19
        ·
        1 year ago

        Pretty much, and it’s not even XSS (it’s not cross-site), it’s just plain basic HTML injection breaking out of Markdown. At least as far as I was able to find.

    • tarjeezy@lemmy.ca
      link
      fedilink
      English
      arrow-up
      8
      ·
      1 year ago

      Last I saw, they were on 0.18.1, unless a very recent update was installed. Do you happen to have a full list of domains they were redirecting to? Just want to be sure they were only going to “harmless” offensive sites, and not something worse.

      • Max-P@lemmy.max-p.me
        link
        fedilink
        English
        arrow-up
        14
        ·
        1 year ago

        As for the version, my instance reports it as

        0.18.1-2-ga6cc12afe
        

        So it seems to be using some extra patches, but I can’t find that commit on GitHub which indicates it might not be public, or cherry-picked locally.

        So with this in mind, either it’s just innocent performance patches, or someone potentially also introduced the markdown vulnerability.

        Although it’s also entirely possible I suck and wasn’t able to reproduce it correctly/had wrong quoting or something. Hopefully the devs can shine some light in the details.

      • Max-P@lemmy.max-p.me
        link
        fedilink
        English
        arrow-up
        14
        ·
        1 year ago

        Only lemonparty (which then redirects to chaturbate) and the pedo image hosted in the pictrs of lemmy.world itself. I saw no evidence of anything else, as people said, it’s a pretty oldschool type of hack to disturb not spread malware.

        But I didn’t dig that much further than that, and it’s only a snapshot of what I gathered before it got fixed. I Ctrl+F “lemonparty” in view source and pasted the JSON in VScode and that’s about it. Didn’t dig much deeper if that was just a red herring.