* Advisory ID: DRUPAL-SA-CONTRIB-2010-071 * Project: MultiSafepay Integration (third-party module) * Version: 6.x * Date: 2010-July-07 * Security risk: Critical * Exploitable from: Remote * Vulnerability: Cross Site Request Forgery
-------- DESCRIPTION ---------------------------------------------------------
The MultiSafepay Integration module provides integration between the Ubercart e-commerce solution and the MultiSafepay payment system. The module is vulnerable to Cross Site Request Forgeries (CSRF [1]) which would allow a malicious user to alter the status of orders or to trick other users into altering the status of orders. -------- VERSIONS AFFECTED ---------------------------------------------------
* MultiSafepay Integration module for Drupal 6.x versions prior to 6.x-1.1 [2]
Drupal core is not affected. If you do not use the contributed MultiSafepay Integration [3] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------
Install the latest version: * If you use the MultiSafepay Integration module for Drupal 6.x upgrade to MultiSafepay Integration 6.x-1.1 [4]
See also the MultiSafepay Integration project page [5]. -------- REPORTED BY ---------------------------------------------------------
* Peter Wolanin (pwolanin [6]) of the Drupal security team
-------- FIXED BY ------------------------------------------------------------
* Dieter De Waele (coworks_dieter [7]) the module maintainer
-------- CONTACT -------------------------------------------------------------
The Drupal security team [8] can be reached at security at drupal.org or via the form at http://drupal.org/contact.
[1] http://en.wikipedia.org/wiki/Csrf [2] http://drupal.org/node/846200 [3] http://drupal.org/project/uc_multisafepay [4] http://drupal.org/node/846200 [5] http://drupal.org/project/uc_multisafepay [6] http://drupal.org/user/49851 [7] http://drupal.org/user/253145 [8] http://drupal.org/security-team