- Issue created by @prudloff
This module has a potential SSRF vulnerability.
The attack is pretty limited because the path is hard-coded and the result is not displayed. But it could theoretically be used to check if a specific IP address exists on the private network by measuring the time it takes to return an error.
You can see this vulnerability by:
1. Enabling the module
2. Create a node type with a video embed field.
3. As a user that can create nodes, put "http://localhost/foo" in the video field.
4. The module will trigger a GET request to http://localhost/api/v1/config.
It might be best if the module had a config with a list of allowed domains.
(This was discussed privately with the Drupal security team and it was decided it could be handled publicly.)
Active
1.3
Code
It is used for security vulnerabilities which do not need a security advisory. For example, security issues in projects which do not have security advisory coverage, or forward-porting a change already disclosed in a security advisory. See Drupal’s security advisory policy for details. Be careful publicly disclosing security vulnerabilities! Use the “Report a security vulnerability” link in the project page’s sidebar. See how to report a security issue for details.