SA-CONTRIB-2010-071 - MultiSafepay Integration - Cross Site Request Forgery

By greggles on 7 Jul 2010 at 15:53 UTC

Advisory ID: DRUPAL-SA-CONTRIB-2010-071
Project: MultiSafepay Integration (third-party module)
Version: 6.x
Date: 2010-July-07
Security risk: Critical
Exploitable from: Remote
Vulnerability: Cross Site Request Forgery

Description

The MultiSafepay Integration module provides integration between the Ubercart e-commerce solution and the MultiSafepay payment system.

The module is vulnerable to Cross Site Request Forgeries (CSRF) which would allow a malicious user to alter the status of orders or to trick other users into altering the status of orders.

Versions affected

MultiSafepay Integration module for Drupal 6.x versions prior to 6.x-1.1

Drupal core is not affected. If you do not use the contributed MultiSafepay Integration module, there is nothing you need to do.

Solution

Install the latest version:

If you use the MultiSafepay Integration module for Drupal 6.x upgrade to MultiSafepay Integration 6.x-1.1

Reported by

Peter Wolanin (pwolanin) of the Drupal security team

Fixed by

Dieter De Waele (coworks_dieter) the module maintainer

Contact

The Drupal security team can be reached at security at drupal.org or via the form at http://drupal.org/contact.

SA-CONTRIB-2010-071 - MultiSafepay Integration - Cross Site Request Forgery

Description

Versions affected

Solution

Reported by

Fixed by

Contact

New forum topics

News items

Our community

Documentation

Drupal code base

Governance of community