Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
By Drupal Security Team on
- Advisory ID: DRUPAL-SA-CONTRIB-2010-083
- Project: UC2Checkout, UCPaypal, UC Cart LInks (third-party modules in the Ubercart Project)
- Version: 5.x, 6.x
- Date: 2010-Aug-11
- Security risk: Critical
- Exploitable from: Remote
- Vulnerability: Access Bypass, Cross Site Request Forgery
Description
The Ubercart module for Drupal provides e-commerce features. Several modules within Ubercart were vulnerable to various security issues.
- The 2Checkout gateway module did not properly verify the payment notification information. A malicious user could use a specially crafted HTTP request to simulate payment and order completion on arbitrary orders. If the 2Checkout gateway module is not installed then your site is not at risk to this vulnerability.
- The Paypal module's WPS payment method did not properly verify the payment notification information. A malicious user could alter HTML form data to send payment to a different Paypal account and still check out on the site. If you do not use the Paypal WPS payment method then your site is not at risk to this vulnerability.
- The Ubercart Cart Links module is vulnerable to both an Access Bypass and Cross Site Request Forgery where a malicious user could both trick other users into adding or removing items from their cart and add items to a cart which are not published on the site. If you do not use Ubercart Cart Links module your site is not at risk to this vulnerability.
Versions affected
- Ubercart module for Drupal 5.x versions prior to 5.x-1.10
- Ubercart module for Drupal 6.x versions prior to 6.x-2.4
Drupal core is not affected. If you do not use the contributed Ubercart module, there is nothing you need to do.
Solution
Install the latest version:
- If you use the Ubercart module for Drupal 5.x upgrade to Ubercart 5.x-1.10
- If you use the Ubercart module for Drupal 6.x upgrade to Ubercart 6.x-2.4
See also the Ubercart project page.
Reported by
- Greg Knaddison of the Drupal Security Team
- Guy Paddock
- Nathan Phillip Brink
Fixed by
- Lyle Mantooth, the module maintainer
- Greg Knaddison of the Drupal Security Team
Contact
The Drupal security team can be reached at security at drupal.org or via the form at http://drupal.org/contact.