- Issue created by @prudloff
This module could be used to trigger SSRF attacks.
You can see this vulnerability by:
1. Enabling the module and the php_ffmpeg module.
2. Add a video embed field on a node type (with the HTML5 provider enabled).
3. As a user that can create nodes, publish a node with a value like "http://localhost/?.ogg" in the video embed field.
4. ffmpeg will send a GET request to this URL.
If the attacker can guess the URL of a video file that really exists on the private network, they may be able to generate a thumbnail containing the first frame of the video.
It could also theoretically be used to attack services on the private network that are vulnerable to some kind of crafted GET requests.
The module should probably either:
NoPrivateNetworkHttpClient::PRIVATE_SUBNETS for example).Alternatively, if the user puts a path in the video field (for example "/var/www/private/foo.ogg"), they may be able to generate a thumbnail containing the first frame of a video that exists on the server hosting Drupal.
The module should probably validate that the field contains an URL.
This issue has been reviewed by the Drupal security team and it was decided that it can be handled in public.
Active
2.0
Code
It is used for security vulnerabilities which do not need a security advisory. For example, security issues in projects which do not have security advisory coverage, or forward-porting a change already disclosed in a security advisory. See Drupal’s security advisory policy for details. Be careful publicly disclosing security vulnerabilities! Use the “Report a security vulnerability” link in the project page’s sidebar. See how to report a security issue for details.