• Advisory ID: DRUPAL-SA-2005-006
  • Project: ecommerce
  • Date: 2005-Oct-30
  • Security risk: critical
  • Impact: authorize_net module, which is a part of the ecommerce package
  • Exploitable from: local
  • Vulnerability: System is unintentionally logging credit card transactions, including card numbers.

Description

Solar Designer of the Openwall Project reported a security vulnerability in the contributed authorize_net module which is part of the ecommerce package. Credit card information was being stored in a system log file. The system should not be saving this information.

Versions affected

Please check the CVS $Id$ fields in the following files to determine whether the version of the authorize_net module you are running is vulnerable.

All versions older than the following are vulnerable:

4.5 branch:

  • // $Id: authorize_net.module,v 1.1.2.4 2005/03/03 01:15:38 mathias Exp $

4.6 branch:

  • // $Id: authorize_net.module,v 1.10 2005/04/28 05:07:08 mathias Exp $

HEAD branch:

  • // $Id: authorize_net.module,v 1.18 2005/10/24 19:33:13 mathias Exp $

Solution

Drupal core is not affected and the authorize_net module is not installed by default. If you do not use the authorize_net module there is nothing you need to do. If you do use authorize_net, upgrade to the latest version of the ecommerce package for your Drupal version. Note that Drupal 4.6 users need to also run the ecommerce database upgrade script.

Contact

The security team for Drupal can be reached at security@drupal.org or using the form at http://drupal.org/contact.