"administer stop broken link in body" permission should have "restrict access"

Created on 12 November 2024, about 1 month ago

Problem/Motivation

The module description states "This module may be vulnerable to SSRF attacks.".
I understand that this is an expected tradeoff and the module should probably only be enabled on fields filled by trusted users.

Steps to reproduce

1. Enable the module
2. As a user with "administer stop broken link in body" permission, browse to /admin/config/system/stop-broken-link-in-body.
3. You are able to add fields that are used to check broken links.
If you add fields that can be filled by untrusted users, it can allow these users to trigger an SSRF attack.

Proposed resolution

I think the "administer stop broken link in body" permission should have "restrict access", because it allows choosing in which fields the module checks for broken links.

(This issue has been discussed privately with the security team and they agreed it could be handled publicly.)

🐛 Bug report
Status

Active

Version

2.0

Component

Code

Created by

🇫🇷France prudloff Lille

Live updates comments and jobs are added and updated live.
  • Security

    It is used for security vulnerabilities which do not need a security advisory. For example, security issues in projects which do not have security advisory coverage, or forward-porting a change already disclosed in a security advisory. See Drupal’s security advisory policy for details. Be careful publicly disclosing security vulnerabilities! Use the “Report a security vulnerability” link in the project page’s sidebar. See how to report a security issue for details.

Sign in to follow issues

Comments & Activities

Production build 0.71.5 2024