* Advisory ID: DRUPAL-SA-CONTRIB-2010-083 * Project: UC2Checkout, UCPaypal, UC Cart LInks (third-party modules in the Ubercart Project) * Version: 5.x, 6.x * Date: 2010-Aug-11 * Security risk: Critical * Exploitable from: Remote * Vulnerability: Access Bypass, Cross Site Request Forgery
-------- DESCRIPTION ---------------------------------------------------------
The Ubercart module for Drupal provides e-commerce features. Several modules within Ubercart were vulnerable to various security issues. 1) The 2Checkout gateway module did not properly verify the payment notification information. A malicious user could use a specially crafted HTTP request to simulate payment and order completion on arbitrary orders. If the 2Checkout gateway module is not installed then your site is not at risk to this vulnerability. 2) The Paypal module's WPS payment method did not properly verify the payment notification information. A malicious user could alter HTML form data to send payment to a different Paypal account and still check out on the site. If you do not use the Paypal WPS payment method then your site is not at risk to this vulnerability. 3) The Ubercart Cart Links module is vulnerable to both an Access Bypass and Cross Site Request Forgery where a malicious user could both trick other users into adding or removing items from their cart and add items to a cart which are not published on the site. If you do not use Ubercart Cart Links module your site is not at risk to this vulnerability.
-------- VERSIONS AFFECTED ---------------------------------------------------
* Ubercart module for Drupal 5.x versions prior to 5.x-1.10 * Ubercart module for Drupal 6.x versions prior to 6.x-2.4
Drupal core is not affected. If you do not use the contributed Ubercart [1] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------
Install the latest version: * If you use the Ubercart module for Drupal 5.x upgrade to Ubercart 5.x-1.10 [2] * If you use the Ubercart module for Drupal 6.x upgrade to Ubercart 6.x-2.4 [3]
See also the Ubercart project page [4]. -------- REPORTED BY ---------------------------------------------------------
* Greg Knaddison [5] of the Drupal Security Team * Guy Paddock [6] * Nathan Phillip Brink [7]
-------- FIXED BY ------------------------------------------------------------
* Lyle Mantooth [8], the module maintainer * Greg Knaddison [9] of the Drupal Security Team
-------- CONTACT -------------------------------------------------------------
The Drupal security team [10] can be reached at security at drupal.org or via the form at http://drupal.org/contact.
[1] http://drupal.org/project/ubercart [2] http://drupal.org/node/880378 [3] http://drupal.org/node/880390 [4] http://drupal.org/project/ubercart [5] http://drupal.org/user/UID [6] http://drupal.org/user/156932 [7] http://drupal.org/user/829476 [8] http://drupal.org/user/86683 [9] http://drupal.org/user/UID [10] http://drupal.org/security-team