There is a CSRF vulnerability in the Varnish module 5.x (I dont' think the vulnerability exists on the 6.x version). The module exposes
a URL to allow Varnish to be purged. However it does not use confirm_form() or FAPI tokens. So with a simple bit social engineering an attacker could use the URL as an img src, show the img to an admin, and the result would be a DOS attack.
As per the Drupal security policy (and confirmed with Khalid), the module has no stable releases, and therefore this issue can be fixed publicly.
Unfortunately I can't offer a useful patch as I've thoroughly hacked my install of this module to support multiple Varnish servers.
Comments
Comment #1
MiSc CreditAttribution: MiSc commentedD5 version is no longer supported.