this post was submitted on 10 Jul 2023
1 points (100.0% liked)

Support

92 readers
1 users here now

Support For no.lastname.nz

founded 1 year ago
MODERATORS
1
xss fix (no.lastname.nz)
submitted 1 year ago* (last edited 1 year ago) by [email protected] to c/[email protected]
 

sunaurus just posted this in the lemmy dev chat:

Reposting from another channel to get this out to as many admins as possible:

Current mitigations:

Remove custom emoji

DELETE FROM custom_emoji_keyword;
DELETE FROM custom_emoji;

Overwrite content with the exploit

UPDATE comment SET content = '<REMOVED BY ADMIN>' WHERE content LIKE '%![" onload%';
UPDATE private_message SET content = '<REMOVED BY ADMIN>' WHERE content LIKE '%![" onload%';
UPDATE post SET body = '<REMOVED BY ADMIN>' WHERE body LIKE '%![" onload%';
UPDATE post SET name = '<REMOVED BY ADMIN>' WHERE name LIKE '%![" onload%';

Rotate your JWT secret (invalidates all current login sessions)

-- back up your secret first, just in case

SELECT * FROM secret;

-- generate a new secret

UPDATE secret SET jwt_secret = gen_random_uuid();

Probably worth doing

no comments (yet)
sorted by: hot top controversial new old
there doesn't seem to be anything here