- Advisory ID: SA-CONTRIB-2012-112
- Project: Ubercart SecureTrading Payment Method (third-party module)
- Version: 6.x
- Date: 2012-July-11
- Security risk: Highly critical
- Exploitable from: Remote
- Vulnerability: Failure to follow guideline/specification - integrity check value
Description
The Ubercart SecureTrading Payment Method module provides an Ubercart payment method for the SecureTrading.com gateway.
The module's payment method did not properly verify the validity of payment notification information. A malicious user could trick a site into thinking that an item has been paid for when in fact it hasn't. If you do not use the Ubercart SecureTrading Payment Method payment method then your site is not at risk to this vulnerability.
CVE: Requested
Versions affected
- All versions of the Ubercart SecureTrading Payment Method module.
Drupal core is not affected. If you do not use the contributed Ubercart SecureTrading Payment Method module, there is nothing you need to do.
Solution
There is not currently a fixed version of the module. You should disable the module immediately.
You can:
- Change to a new gateway.
- Work with the module maintainer and/or other users to patch the module.
Also see the Ubercart SecureTrading Payment Method project page.
Reported by
- Dylan Tack of the Drupal Security Team
Fixed by
No fix provided.
Coordinated by
- Dylan Tack of the Drupal Security Team
- Damien Tournoud of the Drupal Security Team
- Greg Knaddison of the Drupal Security Team
Contact and More Information
The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.
Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.