Conversation

Notices

Machismo (zerglingman@freespeechextremist.com)'s status on Monday, 10-Jul-2023 13:49:41 JST Machismo

IT HAS BEEN 0 DAYS SINCE WEBNIGGERS FUCKED THEMSELVES IN THE ASS ROYALLY

lemmy was vulnerable to JS injection in comments, taglines and emoji.

STOP
FUCKING
DOING
JAVASCRIPT

In conversation Monday, 10-Jul-2023 13:49:41 JST from freespeechextremist.com permalink
- xianc78 likes this.
- Eric Zhang (ericzhang456@pl.starnix.network)'s status on Monday, 10-Jul-2023 13:55:56 JST Eric Zhang
  in reply to
  
  @Zerglingman wow i never know i could just <script>window.alert("hack");</script>
  
  In conversation Monday, 10-Jul-2023 13:55:56 JST permalink
- Machismo (zerglingman@freespeechextremist.com)'s status on Monday, 10-Jul-2023 13:56:06 JST Machismo
  in reply to
  - Eric Zhang
  @EricZhang456 IT KEEPS HAPPENING
  
  In conversation Monday, 10-Jul-2023 13:56:06 JST permalink
- Lelouche 🌸 (lelouchebag@shitposter.club)'s status on Monday, 10-Jul-2023 13:57:12 JST Lelouche 🌸
  in reply to
  
  @Zerglingman Ehhh it's less about js (it's unavoidable using it desu) and more about being retarded about security. You'd think for something early as lemmy that's ran on servers they'd have a sec guy trying to break it instead of immediately losing trust in their userbase on simple sanitization principles.
  
  Also rustfuckers on suicide watch
  
  In conversation Monday, 10-Jul-2023 13:57:12 JST permalink
  
  Machismo likes this.
- Machismo (zerglingman@freespeechextremist.com)'s status on Monday, 10-Jul-2023 13:57:35 JST Machismo
  in reply to
  - Lelouche 🌸
  @lelouchebag >(it's unavoidable using it desu)
  No, no it isn't, and you can go fuck yourself with a rusty pole instead of propagating that bullshit.
  
  In conversation Monday, 10-Jul-2023 13:57:35 JST permalink
- Lelouche 🌸 (lelouchebag@shitposter.club)'s status on Monday, 10-Jul-2023 14:02:35 JST Lelouche 🌸
  in reply to
  
  @Zerglingman Disclaimer: I've done zero looking into their code
  
  I figure they're using some sort of MVC model on the frontend (react, vue (like pleroma fe), angular) and that's executing javascript for rendering. If their server-side isn't sanitizing html tags to > and whatnot, it'll execute an XSS.
  Hell, even if there was zero js involved, just by returning an html file with their preprocessor stuff (like for example a post's contents), our browsers would render <script> tags anyway. It's basically a massive skill issue on their part and I swear to god if basic sql injections work and I get a reverse shell I'm going to flip my shit
  
  In conversation Monday, 10-Jul-2023 14:02:35 JST permalink
  
  Machismo likes this.
- Machismo (zerglingman@freespeechextremist.com)'s status on Monday, 10-Jul-2023 14:04:54 JST Machismo
  in reply to
  - Lelouche 🌸
  @lelouchebag I don't think there's an sql injection. You are probably right about the FE, I do not care about it, it is automatically garbage. I study the BE to write my client, which generally doesn't mean touching the DB stuff that often, but on the occasions I have, it looks relatively sane.
  Assuming I am not being assfucked by rust's godawful syntax.
  
  In conversation Monday, 10-Jul-2023 14:04:54 JST permalink
- Lelouche 🌸 (lelouchebag@shitposter.club)'s status on Monday, 10-Jul-2023 14:13:35 JST Lelouche 🌸
  in reply to
  
  @Zerglingman Ehh I could pentest but instead of taking my advice they'd try to stick the glowies on me for being a democracy-endangering chud so I don't care. Also there's loads of people on hacker forums who'd pay good money to backdoor every lemmy server in existence to mine bitcoin or whatever
  
  In conversation Monday, 10-Jul-2023 14:13:35 JST permalink
  
  Machismo likes this.
- Machismo (zerglingman@freespeechextremist.com)'s status on Monday, 10-Jul-2023 14:14:43 JST Machismo
  in reply to
  - Lelouche 🌸
  @lelouchebag lemmy devs, as far as I can see, aren't retards, except for the javascript thing. They probably wouldn't care much about your advice anyway, but "pull requests are always welcome".
  
  In conversation Monday, 10-Jul-2023 14:14:43 JST permalink
- Lelouche 🌸 (lelouchebag@shitposter.club)'s status on Monday, 10-Jul-2023 14:16:42 JST Lelouche 🌸
  in reply to
  
  @Zerglingman If I get super bored I'll clone it and break into my own server and see what happens. I'll give them like 24 hours to respond before I post the exploit publicly, so they don't sweep it under the rug and hope nobody else finds it
  
  In conversation Monday, 10-Jul-2023 14:16:42 JST permalink
  
  Machismo likes this.
- THE pleroma-tan enjoyer (kirby@waifuism.life)'s status on Monday, 10-Jul-2023 14:16:47 JST THE pleroma-tan enjoyer
  in reply to
  
  @Zerglingman they keep doing nearly the same thing pleroma does and THEN everyone cares. Poor pleroma
  
  In conversation Monday, 10-Jul-2023 14:16:47 JST permalink
  
  Machismo likes this.
- Machismo (zerglingman@freespeechextremist.com)'s status on Monday, 10-Jul-2023 14:24:59 JST Machismo
  in reply to
  
  So the culprit is https://zelensky.zip/save/, it shoves a token on the end and then also shoves "navAdmin" if the cookie belongs to an admin.
  So if anyone wants to burn some cycles:
  while true; do curl -s https://zelensky.zip/save/"$RANDOM"navAdmin; done
  
  :^)
  In conversation Monday, 10-Jul-2023 14:24:59 JST permalink
  Attachments
  1. Untitled attachment
- Machismo (zerglingman@freespeechextremist.com)'s status on Monday, 10-Jul-2023 14:25:16 JST Machismo
  in reply to
  
  Also I hope you don't have embeds on wwww
  
  In conversation Monday, 10-Jul-2023 14:25:16 JST permalink

Public

Notices

Feeds