* Advisory ID: DRUPAL-SA-CONTRIB-2010-071 * Project: MultiSafepay Integration (third-party module) * Version: 6.x * Date: 2010-July-07 * Security risk: Critical * Exploitable from: Remote * Vulnerability: Cross Site Request Forgery -------- DESCRIPTION --------------------------------------------------------- The MultiSafepay Integration module provides integration between the Ubercart e-commerce solution and the MultiSafepay payment system. The module is vulnerable to Cross Site Request Forgeries (CSRF [1]) which would allow a malicious user to alter the status of orders or to trick other users into altering the status of orders. -------- VERSIONS AFFECTED --------------------------------------------------- * MultiSafepay Integration module for Drupal 6.x versions prior to 6.x-1.1 [2] Drupal core is not affected. If you do not use the contributed MultiSafepay Integration [3] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the MultiSafepay Integration module for Drupal 6.x upgrade to MultiSafepay Integration 6.x-1.1 [4] See also the MultiSafepay Integration project page [5]. -------- REPORTED BY --------------------------------------------------------- * Peter Wolanin (pwolanin [6]) of the Drupal security team -------- FIXED BY ------------------------------------------------------------ * Dieter De Waele (coworks_dieter [7]) the module maintainer -------- CONTACT ------------------------------------------------------------- The Drupal security team [8] can be reached at security at drupal.org or via the form at http://drupal.org/contact. [1] http://en.wikipedia.org/wiki/Csrf [2] http://drupal.org/node/846200 [3] http://drupal.org/project/uc_multisafepay [4] http://drupal.org/node/846200 [5] http://drupal.org/project/uc_multisafepay [6] http://drupal.org/user/49851 [7] http://drupal.org/user/253145 [8] http://drupal.org/security-team