This seems like a bug and a huge security hole to me but I'm not sure if this is the problem with the module or Kaltura itself. When I set the default player to one that allows taking screenshots, anyone (even anonymous users) can do it. When you press screenshot it sets the default first frame of the video to the frame that its currently on. So if a user clicks that, all other uses see whatever frame they choose as the default frame.

Ok, so I won't choose the player with the screenshot button as the default choice. But here's the scary part... I can swap out some numbers in the embed code and change the player that loads to give me the any player I want.

This this embed code, for the default dark skin player.

<embed type="application/x-shockwave-flash" src="http://www.kaltura.com/kwidget/wid/_608642/entry_id/0_n11sb3tx/uiconf_id/48502" width="520" height="300" style="undefined" id="kaltura_player_0_n11sb3tx" name="kaltura_player_0_n11sb3tx" bgcolor="#000000" quality="high" wmode="opaque" flashVars="uid=1&externalInterfaceDisabled=false&layoutId=fullLarge&                pd_original_url=http%3A%2F%2Flocalhost%2Fdrupal6_webmaster%2Fcontent%2F215" allowScriptAccess="always" allowFullScreen="TRUE" allowNetworking="all" />

Now, same code but I've switched the player id to the one with the screenshot button

<embed type="application/x-shockwave-flash" src="http://www.kaltura.com/kwidget/wid/_608642/entry_id/0_n11sb3tx/uiconf_id/4665782" width="520" height="300" style="undefined" id="kaltura_player_0_n11sb3tx" name="kaltura_player_0_n11sb3tx" bgcolor="#000000" quality="high" wmode="opaque" flashVars="uid=1&externalInterfaceDisabled=false&layoutId=fullLarge&                pd_original_url=http%3A%2F%2Flocalhost%2Fdrupal6_webmaster%2Fcontent%2F215" allowScriptAccess="always" allowFullScreen="TRUE" allowNetworking="all" />

If you guys use that second code, you can now deploy that anywhere and change my default frame. Doing that will in turn change the thumbnail that is displayed on my site. (Go ahead and test, its a dummy but appropriate choice video for the situation).

So... What's up with this? Am I missing something because this seems kind of scary. Why is this possible? Is it Kaltura's issue?

- Jayson

Comments

timefor’s picture

timefor commented

Just to clarify. This doesn't seem to change the image that loads in the player. It changes the image the module downloads from Kaltura as the default thumb. The image that loads in the player seems to keep loading whatever Kaltura choose as the default.

- Jayson

xurizaemon’s picture

xurizaemon
he/him
Location Ōtepoti, Aotearoa 🏝
commented
Assigned: Unassigned » xurizaemon
Status: Active » Closed (works as designed)

@Jayson, I believe I can reproduce this behaviour.

The commands to set the thumbnail are being sent to the Kaltura server, so this appears to be an issue for Kaltura team. I don't think we can deal with it in the Drupal module, so I'm marking this "works as designed" (as far as the Drupal module is concerned, anyway).

Thanks for reporting