SA-CONTRIB-2014-106 - Commerce Authorize.Net SIM/DPM Payment Methods - Access Bypass - Security-news

29 Oct 2014


      View online: https://www.drupal.org/node/2365809
* Advisory ID: DRUPAL-SA-CONTRIB-2014-106
   * Project: Commerce Authorize.Net SIM/DPM Payment Methods [1]
     (third-party module)
   * Version: 7.x
   * Date: 2014-October-29
   * Security risk: 12/25 ( Moderately Critical)
     AC:Complex/A:None/CI:None/II:Some/E:Theoretical/TD:All [2]
   * Vulnerability: Access bypass
-------- DESCRIPTION
---------------------------------------------------------
This module provides payment methods for the Drupal Commerce [3] package to
permit the use of the Authorize.Net payment gateway's SIM and DPM payment
protocols.
.... Access Bypass
The module doesn't sufficiently protect the Drupal Commerce order number
passed to the Authorize.Net payment gateway, allowing a specially modified
payment POST transaction to Authorize.Net to be applied to a previous order
still in the checkout state.  This could allow the previous transaction to be
marked as paid despite the fact that the payment applied was smaller than its
outstanding balance.
-------- CVE IDENTIFIER(S) ISSUED
--------------------------------------------
* /A CVE identifier [4] will be requested, and added upon issuance, in
     accordance
            with Drupal Security Team processes./
-------- VERSIONS AFFECTED
---------------------------------------------------
* Commerce Authorize.Net SIM/DPM Payment Methods 7.x-1.x versions prior to
     7.x-1.1.
Drupal core is not affected. If you do not use the contributed Commerce
Authorize.Net SIM/DPM Payment Methods [5] module,
       there is nothing you need to do.
-------- SOLUTION
------------------------------------------------------------
Install the latest version:
* If you use the Commerce Authorize.Net SIM/DPM Payment Methods module for
     Drupal 7.x, upgrade to Commerce Authorize.Net SIM/DPM Payment Methods
     7.x-1.1 [6]
Also see the Commerce Authorize.Net SIM/DPM Payment Methods [7] project page.
-------- REPORTED BY
---------------------------------------------------------
* Vadim Mirgorod [8]
-------- FIXED BY
------------------------------------------------------------
* Vadim Mirgorod [9]
   * Jerry Hudgins [10] the module maintainer
-------- COORDINATED BY
------------------------------------------------------
* Lee Rowlands [11] of the Drupal Security Team
   * Rick Manelius [12] of the Drupal Security Team
-------- CONTACT AND MORE INFORMATION
----------------------------------------
The Drupal security team can be reached at security at drupal.org or via the
contact form at
https://www.drupal.org/contact [13].
Learn more about the Drupal Security team and their policies [14],
       writing secure code for Drupal [15], and
       securing your site [16].
[1] https://www.drupal.org/project/commerce_authnet_simdpm
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/commerce
[4] http://cve.mitre.org/
[5] https://www.drupal.org/project/commerce_authnet_simdpm
[6] https://www.drupal.org/node/2361849
[7] https://www.drupal.org/project/commerce_authnet_simdpm
[8] https://www.drupal.org/user/243418
[9] https://www.drupal.org/user/243418
[10] https://www.drupal.org/user/96266
[11] https://www.drupal.org/u/larowlan
[12] https://www.drupal.org/user/680072
[13] https://www.drupal.org/contact
[14] https://www.drupal.org/security-team
[15] https://www.drupal.org/writing-secure-code
[16] https://www.drupal.org/security/secure-configuration