Potential SSRF vulnerability

Created on 7 January 2025, 5 months ago

Problem/Motivation

This module has a potential SSRF vulnerability.

The attack is pretty limited because the path is hard-coded and the result is not displayed. But it could theoretically be used to check if a specific IP address exists on the private network by measuring the time it takes to return an error.

Steps to reproduce

You can see this vulnerability by:
1. Enabling the module
2. Create a node type with a video embed field.
3. As a user that can create nodes, put "http://localhost/foo" in the video field.
4. The module will trigger a GET request to http://localhost/api/v1/config.

Proposed resolution

It might be best if the module had a config with a list of allowed domains.

(This was discussed privately with the Drupal security team and it was decided it could be handled publicly.)

🐛 Bug report
Status

Active

Version

1.3

Component

Code

Created by

🇫🇷France prudloff Lille

Live updates comments and jobs are added and updated live.
  • Security

    It is used for security vulnerabilities which do not need a security advisory. For example, security issues in projects which do not have security advisory coverage, or forward-porting a change already disclosed in a security advisory. See Drupal’s security advisory policy for details. Be careful publicly disclosing security vulnerabilities! Use the “Report a security vulnerability” link in the project page’s sidebar. See how to report a security issue for details.

Sign in to follow issues

Comments & Activities

Production build 0.71.5 2024