Security advisories for contributed projects

• Advisory ID: DRUPAL-SA-CONTRIB-2009-107
• Project: Ubercart (third-party module)
• Version: 5.x, 6.x
• Date: 2009-November-18
• Security risk: Moderately critical
• Exploitable from: Remote
• Vulnerability: Access bypass, Cross-site request forgery

Description

Ubercart's PayPal Website Payments Standard integration exposes a path for completed orders without properly checking that the order is valid for the current user. In the event that the order has already been processed for checkout, this can result in duplicate actions taking place inadvertently. Furthermore, if the checkout completion message has been modified to include order details, information disclosure can happen.

The Ubercart order management was also affected by a minor cross-site request forgery vulnerability.

Versions affected

• Ubercart module for Drupal 6.x prior to Ubercart 6.x-2.1
• Ubercart module for Drupal 5.x prior to Ubercart 5.x-1.9

Drupal core is not affected. If you do not use the contributed Ubercart module, there is nothing you need to do.

Solution

Upgrade to the latest version:

• Advisory ID: DRUPAL-SA-CONTRIB-2009-105
• Project: Subgroups for Organic Groups (third-party module)
• Version: 5.x
• Date: 2009-November-18
• Security risk: Less Critical
• Exploitable from: Remote
• Vulnerability: Cross Site Scripting

• Advisory ID: DRUPAL-SA-CONTRIB-2009-103
• Project: Strongarm (third-party module)
• Version: 6.x
• Date: 2009 November 18
• Security risk: Moderately Critical
• Exploitable from: Remote
• Vulnerability: Cross Site Scripting

• Advisory ID: DRUPAL-SA-CONTRIB-2009-101
• Project: Web Services (third-party theme)
• Version: 6.x
• Date: 2009-November-11
• Security risk: Critical
• Exploitable from: Remote
• Vulnerability: Access Bypass