[Security-news] SA-CONTRIB-2010-083 - Ubercart sub-modules - Multiple Vulnerabilities
security-news at drupal.org
security-news at drupal.org
Wed Aug 11 20:06:36 UTC 2010
* Advisory ID: DRUPAL-SA-CONTRIB-2010-083
* Project: UC2Checkout, UCPaypal, UC Cart LInks (third-party modules in the
Ubercart Project)
* Version: 5.x, 6.x
* Date: 2010-Aug-11
* Security risk: Critical
* Exploitable from: Remote
* Vulnerability: Access Bypass, Cross Site Request Forgery
-------- DESCRIPTION
---------------------------------------------------------
The Ubercart module for Drupal provides e-commerce features. Several modules
within Ubercart were vulnerable to various security issues.
1) The 2Checkout gateway module did not properly verify the payment
notification information. A malicious user could use a specially crafted
HTTP request to simulate payment and order completion on arbitrary
orders. If the 2Checkout gateway module is not installed then your site
is not at risk to this vulnerability.
2) The Paypal module's WPS payment method did not properly verify the
payment notification information. A malicious user could alter HTML form
data to send payment to a different Paypal account and still check out on
the site. If you do not use the Paypal WPS payment method then your site
is not at risk to this vulnerability.
3) The Ubercart Cart Links module is vulnerable to both an Access Bypass and
Cross Site Request Forgery where a malicious user could both trick other
users into adding or removing items from their cart and add items to a
cart which are not published on the site. If you do not use Ubercart Cart
Links module your site is not at risk to this vulnerability.
-------- VERSIONS AFFECTED
---------------------------------------------------
* Ubercart module for Drupal 5.x versions prior to 5.x-1.10
* Ubercart module for Drupal 6.x versions prior to 6.x-2.4
Drupal core is not affected. If you do not use the contributed Ubercart [1]
module, there is nothing you need to do.
-------- SOLUTION
------------------------------------------------------------
Install the latest version:
* If you use the Ubercart module for Drupal 5.x upgrade to Ubercart 5.x-1.10
[2]
* If you use the Ubercart module for Drupal 6.x upgrade to Ubercart 6.x-2.4
[3]
See also the Ubercart project page [4].
-------- REPORTED BY
---------------------------------------------------------
* Greg Knaddison [5] of the Drupal Security Team
* Guy Paddock [6]
* Nathan Phillip Brink [7]
-------- FIXED BY
------------------------------------------------------------
* Lyle Mantooth [8], the module maintainer
* Greg Knaddison [9] of the Drupal Security Team
-------- CONTACT
-------------------------------------------------------------
The Drupal security team [10] can be reached at security at drupal.org or via
the form at http://drupal.org/contact.
[1] http://drupal.org/project/ubercart
[2] http://drupal.org/node/880378
[3] http://drupal.org/node/880390
[4] http://drupal.org/project/ubercart
[5] http://drupal.org/user/UID
[6] http://drupal.org/user/156932
[7] http://drupal.org/user/829476
[8] http://drupal.org/user/86683
[9] http://drupal.org/user/UID
[10] http://drupal.org/security-team
More information about the Security-news
mailing list