View online: https://www.drupal.org/node/2365809
* Advisory ID: DRUPAL-SA-CONTRIB-2014-106 * Project: Commerce Authorize.Net SIM/DPM Payment Methods [1] (third-party module) * Version: 7.x * Date: 2014-October-29 * Security risk: 12/25 ( Moderately Critical) AC:Complex/A:None/CI:None/II:Some/E:Theoretical/TD:All [2] * Vulnerability: Access bypass
-------- DESCRIPTION ---------------------------------------------------------
This module provides payment methods for the Drupal Commerce [3] package to permit the use of the Authorize.Net payment gateway's SIM and DPM payment protocols.
.... Access Bypass
The module doesn't sufficiently protect the Drupal Commerce order number passed to the Authorize.Net payment gateway, allowing a specially modified payment POST transaction to Authorize.Net to be applied to a previous order still in the checkout state. This could allow the previous transaction to be marked as paid despite the fact that the payment applied was smaller than its outstanding balance.
-------- CVE IDENTIFIER(S) ISSUED --------------------------------------------
* /A CVE identifier [4] will be requested, and added upon issuance, in accordance with Drupal Security Team processes./
-------- VERSIONS AFFECTED ---------------------------------------------------
* Commerce Authorize.Net SIM/DPM Payment Methods 7.x-1.x versions prior to 7.x-1.1.
Drupal core is not affected. If you do not use the contributed Commerce Authorize.Net SIM/DPM Payment Methods [5] module, there is nothing you need to do.
-------- SOLUTION ------------------------------------------------------------
Install the latest version:
* If you use the Commerce Authorize.Net SIM/DPM Payment Methods module for Drupal 7.x, upgrade to Commerce Authorize.Net SIM/DPM Payment Methods 7.x-1.1 [6]
Also see the Commerce Authorize.Net SIM/DPM Payment Methods [7] project page.
-------- REPORTED BY ---------------------------------------------------------
* Vadim Mirgorod [8]
-------- FIXED BY ------------------------------------------------------------
* Vadim Mirgorod [9] * Jerry Hudgins [10] the module maintainer
-------- COORDINATED BY ------------------------------------------------------
* Lee Rowlands [11] of the Drupal Security Team * Rick Manelius [12] of the Drupal Security Team
-------- CONTACT AND MORE INFORMATION ----------------------------------------
The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact [13].
Learn more about the Drupal Security team and their policies [14], writing secure code for Drupal [15], and securing your site [16].
[1] https://www.drupal.org/project/commerce_authnet_simdpm [2] https://www.drupal.org/security-team/risk-levels [3] https://www.drupal.org/project/commerce [4] http://cve.mitre.org/ [5] https://www.drupal.org/project/commerce_authnet_simdpm [6] https://www.drupal.org/node/2361849 [7] https://www.drupal.org/project/commerce_authnet_simdpm [8] https://www.drupal.org/user/243418 [9] https://www.drupal.org/user/243418 [10] https://www.drupal.org/user/96266 [11] https://www.drupal.org/u/larowlan [12] https://www.drupal.org/user/680072 [13] https://www.drupal.org/contact [14] https://www.drupal.org/security-team [15] https://www.drupal.org/writing-secure-code [16] https://www.drupal.org/security/secure-configuration