[Security-news] SA-CONTRIB-2009-107 - Ubercart - Access bypass, Cross site request forgery

security-news at drupal.org security-news at drupal.org
Wed Nov 18 21:27:21 UTC 2009


  * Advisory ID: DRUPAL-SA-CONTRIB-2009-107
  * Project: Ubercart (third-party module)
  * Version: 5.x, 6.x
  * Date: 2009-November-18
  * Security risk: Moderately critical
  * Exploitable from: Remote
  * Vulnerability: Access bypass, Cross-site request forgery

-------- DESCRIPTION  
---------------------------------------------------------

Ubercart's PayPal Website Payments Standard integration exposes a path for
completed orders without properly checking that the order is valid for the
current user. In the event that the order has already been processed for
checkout, this can result in duplicate actions taking place inadvertently.
Furthermore, if the checkout completion message has been modified to include
order details, information disclosure can happen. The Ubercart order
management was also affected by a minor cross-site request forgery
vulnerability.
-------- VERSIONS AFFECTED  
---------------------------------------------------

  * Ubercart module for Drupal 6.x prior to Ubercart 6.x-2.1 [1]
  * Ubercart module for Drupal 5.x prior to Ubercart 5.x-1.9 [2]

Drupal core is not affected. If you do not use the contributed Ubercart [3]
module, there is nothing you need to do.
-------- SOLUTION  
------------------------------------------------------------

Upgrade to the latest version:
  * If you use Ubercart module for Drupal 6.x upgrade to version 6.x-2.1 [4]
  * If you use Ubercart module for Drupal 5.x upgrade to version 5.x-1.9 [5]

-------- REPORTED BY  
---------------------------------------------------------

  * Reported by Daniel Duvall [6]

-------- FIXED BY  
------------------------------------------------------------

  * Fixed by Ryan Szrama [7], the module maintainer

-------- CONTACT  
-------------------------------------------------------------

The security team for Drupal can be reached at security at drupal.org or via
the form at http://drupal.org/contact.

[1] http://drupal.org/node/636616
[2] http://drupal.org/node/636614
[3] http://drupal.org/project/ubercart
[4] http://drupal.org/node/636616
[5] http://drupal.org/node/636614
[6] http://drupal.org/user/584298
[7] http://drupal.org/user/49344



More information about the Security-news mailing list