Description
The HybridAuth Social Login module provides social authentication for Drupal 7 sites, allowing users to log in via third-party identity providers such as Facebook, Google, and Twitter. The module includes functionality to automatically import user profile pictures from the provider.
The module doesn't properly validate the picture URL obtained from the social provider before issuing an HTTP request to fetch the image. The original code relied solely on valid_url(), which accepts any syntactically valid URL including dangerous schemes such as "file://", "ftp://", "gopher://", and "data:". An attacker who controls a social identity provider profile or who can otherwise influence the `photoURL` value returned during authentication could cause the server to issue requests to internal network resources, potentially exposing sensitive information.
This vulnerability is mitigated by the requirement that an attacker must be able to authenticate through a HybridAuth connected provider and must be able to control the picture URL returned by that provider. Additionally, the vulnerability only affects sites that have both user pictures and HybridAuth picture import enabled.
Solution
Install the latest version.
If you use the HybridAuth module for Drupal 7, upgrade to hybridauth 7.x-2.17:
Reported by
Fixed by
- Tag1 D7ES
Coordinated by
- Tag1 D7ES