SA-CONTRIB-2010-077 - Sage Pay (former Protx) Direct Payment Gateway for Ubercart - Information Disclosure - Security-news

28 Jul 2010


      * Advisory ID: DRUPAL-SA-CONTRIB-2010-077
  * Project: Sage Pay Direct Payment Gateway for Ubercart (third-party module)
  * Version: 5.x, 6.x
  * Date: 2010-July-28
  * Security risk: Less Critical
  * Exploitable from: Remote
  * Vulnerability: Information Disclosure
-------- DESCRIPTION  
---------------------------------------------------------
The Sage Pay Direct Payment Gateway for Ubercart (uc_protx_vsp_direct)
processes credit card transactions in Ubercart stores using the Sage Pay
Direct service. The module may show remote 3-D Secure pages to the user in an
iframe when their bank supports the Verified by Visa or MasterCard SecureCode
verification schemes. These pages can include sensitive information relating
to the user's credit card. In some configurations, the page containing the
iframe may be stored in the Drupal cache and incorrectly shown to a
subsequent anonymous user.
-------- VERSIONS AFFECTED  
---------------------------------------------------
* Sage Pay Direct Payment Gateway for Ubercart module for Drupal 5.x
    versions prior to 5.x-1.9
  * Sage Pay Direct Payment Gateway for Ubercart for Drupal 6.x versions prior
    to 6.x-1.4
Drupal core is not affected. If you do not use the contributed Sage Pay
Direct Payment Gateway for Ubercart there is nothing you need to do.
-------- SOLUTION  
------------------------------------------------------------
Install the latest version:
  * If you use the Sage Pay Direct Payment Gateway for Ubercart module for
    Drupal 5.x upgrade to the 5.x-1.9 version [1]
  * If you use the Sage Pay Direct Payment Gateway for Ubercart module for
    Drupal 6.x upgrade to the 6.x-1.4 version [2]
See also the Sage Pay Direct Payment Gateway for Ubercart project page [3].
-------- REPORTED BY  
---------------------------------------------------------
* David Long (longwave) [4], module co-maintainer
-------- FIXED BY  
------------------------------------------------------------
* David Long (longwave) [5], module co-maintainer
-------- CONTACT  
-------------------------------------------------------------
The Drupal security team [6] can be reached at security at drupal.org or via
the form at http://drupal.org/contact.
[1] http://drupal.org/node/867454
[2] http://drupal.org/node/867456
[3] http://drupal.org/project/uc_protx_vsp_direct
[4] http://drupal.org/user/246492
[5] http://drupal.org/user/246492
[6] http://drupal.org/security-team