[Security-news] SA-CONTRIB-2010-064 - Ubercart MIGS Payment Gateway - Web Parameter Tampering
security-news at drupal.org
security-news at drupal.org
Wed Jun 16 19:51:13 UTC 2010
* Advisory ID: DRUPAL-SA-CONTRIB-2010-064
* Project: Ubercart MIGS Payment Gateway (third-party module)
* Versions: 6.x
* Date: 2010-Jun-16
* Security risk: Critical
* Exploitable from: Remote
* Vulnerability: Web Parameter Tampering
The Ubercart MIGS Payment Gateway module provides support for the MIGS
3rd-party payment gateway used by ANZ, Commonwealth Bank, Bendigo Bank, and
various other banks worldwide for payment processing. This module was
susceptible to web parameter tampering [1] which allowed users to bypass
paying the full amount due on checkout. The amount paid was correctly
recorded against the order, but certain site configurations might allow
purchases to be delivered despite incomplete payment. This has been resolved
in the latest release, which also incorporates other features to match bank
requirements.
-------- VERSIONS AFFECTED
---------------------------------------------------
* Ubercart MIGS Payment Gateway for Drupal 6.x prior to uc_migs-6.x-1.2.
Drupal core is not affected. If you do not use the contributed Ubercart MIGS
module, there is nothing you need to do.
-------- SOLUTION
------------------------------------------------------------
Install the latest version:
* If you use uc_migs for Drupal 6.x upgrade to uc_migs-6.x-1.2 [2].
See also the Ubercart MIGS Gateway project page [3].
-------- REPORTED BY
---------------------------------------------------------
Chris Burgess [4], the uc_migs maintainer.
-------- FIXED BY
------------------------------------------------------------
Chris Burgess
-------- CONTACT
-------------------------------------------------------------
The security contact for Drupal can be reached at security at drupal.org or
via the form at http://drupal.org/contact.
[1] http://www.owasp.org/index.php/Web_Parameter_Tampering
[2] http://drupal.org/node/828614
[3] http://drupal.org/project/uc_migs
[4] http://drupal.org/user/76026
More information about the Security-news
mailing list