• 0 Posts
  • 2 Comments
Joined 1 year ago
cake
Cake day: June 10th, 2023

help-circle

  • carbon_based@sh.itjust.workstoLemmy@lemmy.ml*Permanently Deleted*
    link
    fedilink
    English
    arrow-up
    5
    ·
    edit-2
    1 year ago

    If posted text is not properly “escaped” (meaning possible HTML tags and scripts made non-executable), an attacker can post (“inject”) javascript in a comment which is then loaded and executed on other people’s browsers. It seems that such a method was used to steal log-in cookies from admin’s browsers. The attacker then could log in as the admin and proceed to change stuff in other areas of the site.

    Edit: someone posted a screenshot of an app displaying the scipt here: https://lemmy.sdf.org/comment/850269 – the app doesn’t execute JS but displays it as text. That might be the safest way to go atm while malicious comments are spreading over the net.
    (From that post we also learn about a fix that came almost immediately, so hopefully this issue is being done with as soon as all vulnerable servers have been updated)