Description
The OpenID Connect module provides OpenID Connect authentication for Drupal 7 sites, allowing users to authenticate using external identity providers. The module includes functionality to automatically import user profile pictures from the identity provider.
The module doesn't properly validate user picture URLs before making HTTP requests to fetch the images, leaving it vulnerable to Server Side Request Forgery (SSRF) attacks. Attackers could provide malicious URLs that would cause the server to make requests to internal services, potentially exposing sensitive information or triggering unintended actions.
This vulnerability is mitigated by the requirement for users to be authenticated through OpenID Connect, limiting the attack surface to users who can successfully authenticate. Additionally, the vulnerability requires the identity provider to return a malicious picture URL, which may not be under the attacker's direct control in many deployment scenarios.
Solution
Install the latest version.
If you use the OpenID Connect module for Drupal 7, upgrade to OpenID Connect 7.x-1.5:
Reported by
- Drew Webber (mcdruid) of the Drupal Security Team
Fixed by
- Drew Webber (mcdruid) of the Drupal Security Team
- Philip Frilling (pfrilling)
- Ra Mänd (ram4nd)
Coordinated by
- Damien McKenna (damienmckenna) of the Drupal Security Team
- Greg Knaddison (greggles) of the Drupal Security Team
- Drew Webber (mcdruid) of the Drupal Security Team
- Juraj Nemec (poker10) of the Drupal Security Team
- Tag1 D7ES