Fediverse

17538 readers

3 users here now

A community dedicated to fediverse news and discussion.

Fediverse is a portmanteau of "federation" and "universe".

Getting started on Fediverse;

What is the fediverse?
- Short ver.
- Full ver.
Fediverse Platforms
How to run your own community

founded 4 years ago

MODERATORS

[email protected]

483

PSA: Lemmy.world has been compromised! (Edit: Multiple Instances are down) (lemmy.ml)

submitted 1 year ago* (last edited 1 year ago) by [email protected] to c/[email protected]

242 comments fedilink hide all child comments

FYI!!! In case you start getting re-directed to porn sites.

Maybe the admin got hacked?

edit: lemmy.blahaj.zone has also been hacked. beehaw.org is also down, possibly intentionally by their admins until the issue is fixed.

Post discussing the point of vulnerability: https://lemmy.ml/post/1896249

Github Issue created here: https://github.com/LemmyNet/lemmy-ui/issues/1895

you are viewing a single comment's thread
view the rest of the comments

[–] [email protected] 11 points 1 year ago (1 children)

It seems the database and the server itself is not compromised? Just an admin account that used to post a markdown XSS exploit?

[–] [email protected] 19 points 1 year ago (1 children)

Pretty much, and it's not even XSS (it's not cross-site), it's just plain basic HTML injection breaking out of Markdown. At least as far as I was able to find.

[–] [email protected] 4 points 1 year ago (1 children)

XSS is a blanket term for vulnerabilities that allows attackers to inject client-side scripts. Looks like someone is already identified and submitted a pull request that contain a fix: https://github.com/LemmyNet/lemmy-ui/pull/1897/files

[–] [email protected] 1 points 1 year ago

Aaaargh yeah using typescript doesn't do jack when your API is stringly-typed. This erm wouldn't have happened on the backend.