[Security-news] SA-CONTRIB-2014-087 - Drupal Commerce - Information disclosure

security-news at drupal.org security-news at drupal.org
Wed Sep 10 20:02:25 UTC 2014


View online: https://www.drupal.org/node/2336357

   * Advisory ID: DRUPAL-SA-CONTRIB-2014-087
   * Project: Drupal Commerce [1]     (third-party module)
   * Version: 7.x
   * Date: 2014-September-10
   * Security risk: 13/25 ( Moderately Critical)
     AC:Basic/A:None/CI:Some/II:None/E:Theoretical/TD:All [2]
   * Vulnerability: Information Disclosure

-------- DESCRIPTION
---------------------------------------------------------

Drupal Commerce is used to build eCommerce websites and applications of all
sizes.

The commerce_order module can be used to create new user accounts where email
addresses are used as user names. Since user names are not considered private
information in Drupal [3] this is an information disclosure of email
addresses.

This vulnerability is mitigated by the fact that the commerce_checkout module
must be enabled with the default rule configuration enabled that creates new
user accounts when an anonymous user completes the checkout process.


-------- CVE IDENTIFIER(S) ISSUED
--------------------------------------------

   * /A CVE identifier [4] will be requested, and added upon issuance, in
     accordance
            with Drupal Security Team processes./

-------- VERSIONS AFFECTED
---------------------------------------------------

   * Drupal Commerce 7.x-1.x versions prior to 7.x-1.10.

Drupal core is not affected. If you do not use the contributed Drupal
Commerce [5] module,
       there is nothing you need to do.

-------- SOLUTION
------------------------------------------------------------

Drupal Commerce 1.10 includes an update function that will change all user
names on the site that look like email addresses. *This can be a disruptive
process for some sites and therefore must be enabled explicitly by the update
administrator.* If you don't run the default update function you need to make
sure yourself that user names are not valid email addresses.

To enable the username cleaning update function, you must set the
commerce_checkout_run_update_7103 variable to TRUE before running update.php
or drush updb: You can either use $conf['commerce_checkout_run_update_7103']
= TRUE; in settings.php or drush vset commerce_checkout_run_update_7103 1.

Then install the latest version:

   * If you use the Drupal Commerce module for Drupal 7.x, upgrade to Drupal
     Commerce 7.x-1.10 [6]

In case you don't want to apply the default update function you can just run
update.php without the variable and the update function will be skipped.

Also see the Drupal Commerce [7] project page.

-------- REPORTED BY
---------------------------------------------------------

   * Damien Tournoud [8] of the Drupal Security Team

-------- FIXED BY
------------------------------------------------------------

   * Klaus Purer [9] of the Drupal Security Team

-------- COORDINATED BY
------------------------------------------------------

   * Klaus Purer [10] of the Drupal Security Team
   * Greg Knaddison [11] of the Drupal Security Team
   * Ben Jeavons [12] of the Drupal Security Team

-------- CONTACT AND MORE INFORMATION
----------------------------------------

The Drupal security team can be reached at security at drupal.org or via the
contact form at https://www.drupal.org/contact [13].

Learn more about the Drupal Security team and their policies [14], writing
secure code for Drupal [15], and securing your site [16].


[1] https://www.drupal.org/project/commerce
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/node/1004778
[4] http://cve.mitre.org/
[5] https://www.drupal.org/project/commerce
[6] https://www.drupal.org/node/2336327
[7] https://www.drupal.org/project/commerce
[8] https://www.drupal.org/user/22211
[9] https://www.drupal.org/user/262198
[10] https://www.drupal.org/user/262198
[11] https://www.drupal.org/user/36762
[12] https://www.drupal.org/user/91990
[13] https://www.drupal.org/contact
[14] https://www.drupal.org/security-team
[15] https://www.drupal.org/writing-secure-code
[16] https://www.drupal.org/security/secure-configuration



More information about the Security-news mailing list