(URGENT) Lemmy has an XSS vulnerability in the sidebar - sh.itjust.works
sh.itjust.works
lemmy.world is a victim of an XSS attack right now and the hacker simply injected a JavaScript redirection into the sidebar. It appears the Lemmy backend does not escape HTML in the main sidebar. Not sure if this is also true for community sidebars. [https://sh.itjust.works/pictrs/image/707c0f16-3d5c-4888-b865-34228d968ee6.png]

I don't really understand what any of this means, maybe someone can explain it for me, I'm a little nervous to keep browsing on lemmygrad if this can apparently be exploited thru comments and posts or something?

there's disagreement about what's happening several comments down so an explanation would be appreciated

  • Flyberius [comrade/them]
    ·
    1 year ago

    Oh dear. That is bad. cringe indeed.

    For the record, it doesn't look like you are doing that any more. JWTs are sent in the cookies.

    • Cadende [they/them]
      ·
      1 year ago

      You must be looking at hexbear

      lemmygrad.ml is running the latest upstream (0.18.2) and it is being sent in the URL for each API call

          • Flyberius [comrade/them]
            ·
            1 year ago

            I'm still at a bit of a loss as to how a jwt token can be invalidated by a user changing their password. Surely this means making some database query on every request, the sort of thing you are trying to avoid by using jwts in the first place.

            Do you know anything about how this is achieved in Lemmy?

            • Cadende [they/them]
              ·
              1 year ago

              Yeah, I think they are hitting the db.

              https://github.com/LemmyNet/lemmy/pull/1493

              If I'm understanding correctly, they are storing the last password change timestamp in the db: local_user.validator_time and then when they fetch the logged-in user details for a request they compare the timestamp of the token to that validator_time and reject the jwt if it's greater.

              I don't think lemmy is using jwt because they really needed the low overhead, most of these requests need to hit the db regardless, they are (IMO) just using it because it was simple to use initially.

              This does make me wonder if there are some API requests which don't call check_validator_time() and would still be usable after a pw change

              • Flyberius [comrade/them]
                ·
                1 year ago

                Thanks for the reply, that's super interesting.

                I don't know how routing works in Rust, but I'm assuming that all requests pass through some sort of authentication middleware regardless of their final endpoint, thus logging you out of you have an invalid timestamp.

                I really should just check myself. Thanks for all your time