* Advisory ID: DRUPAL-SA-CONTRIB-2010-077 * Project: Sage Pay Direct Payment Gateway for Ubercart (third-party module) * Version: 5.x, 6.x * Date: 2010-July-28 * Security risk: Less Critical * Exploitable from: Remote * Vulnerability: Information Disclosure
-------- DESCRIPTION ---------------------------------------------------------
The Sage Pay Direct Payment Gateway for Ubercart (uc_protx_vsp_direct) processes credit card transactions in Ubercart stores using the Sage Pay Direct service. The module may show remote 3-D Secure pages to the user in an iframe when their bank supports the Verified by Visa or MasterCard SecureCode verification schemes. These pages can include sensitive information relating to the user's credit card. In some configurations, the page containing the iframe may be stored in the Drupal cache and incorrectly shown to a subsequent anonymous user. -------- VERSIONS AFFECTED ---------------------------------------------------
* Sage Pay Direct Payment Gateway for Ubercart module for Drupal 5.x versions prior to 5.x-1.9 * Sage Pay Direct Payment Gateway for Ubercart for Drupal 6.x versions prior to 6.x-1.4
Drupal core is not affected. If you do not use the contributed Sage Pay Direct Payment Gateway for Ubercart there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------
Install the latest version: * If you use the Sage Pay Direct Payment Gateway for Ubercart module for Drupal 5.x upgrade to the 5.x-1.9 version [1] * If you use the Sage Pay Direct Payment Gateway for Ubercart module for Drupal 6.x upgrade to the 6.x-1.4 version [2]
See also the Sage Pay Direct Payment Gateway for Ubercart project page [3]. -------- REPORTED BY ---------------------------------------------------------
* David Long (longwave) [4], module co-maintainer
-------- FIXED BY ------------------------------------------------------------
* David Long (longwave) [5], module co-maintainer
-------- CONTACT -------------------------------------------------------------
The Drupal security team [6] can be reached at security at drupal.org or via the form at http://drupal.org/contact.
[1] http://drupal.org/node/867454 [2] http://drupal.org/node/867456 [3] http://drupal.org/project/uc_protx_vsp_direct [4] http://drupal.org/user/246492 [5] http://drupal.org/user/246492 [6] http://drupal.org/security-team