By Drupal Security Team on
  • Advisory ID: DRUPAL-SA-CONTRIB-2010-083
  • Project: UC2Checkout, UCPaypal, UC Cart LInks (third-party modules in the Ubercart Project)
  • Version: 5.x, 6.x
  • Date: 2010-Aug-11
  • Security risk: Critical
  • Exploitable from: Remote
  • Vulnerability: Access Bypass, Cross Site Request Forgery

Description

The Ubercart module for Drupal provides e-commerce features. Several modules within Ubercart were vulnerable to various security issues.

  1. The 2Checkout gateway module did not properly verify the payment notification information. A malicious user could use a specially crafted HTTP request to simulate payment and order completion on arbitrary orders. If the 2Checkout gateway module is not installed then your site is not at risk to this vulnerability.
  2. The Paypal module's WPS payment method did not properly verify the payment notification information. A malicious user could alter HTML form data to send payment to a different Paypal account and still check out on the site. If you do not use the Paypal WPS payment method then your site is not at risk to this vulnerability.
  3. The Ubercart Cart Links module is vulnerable to both an Access Bypass and Cross Site Request Forgery where a malicious user could both trick other users into adding or removing items from their cart and add items to a cart which are not published on the site. If you do not use Ubercart Cart Links module your site is not at risk to this vulnerability.

Versions affected

  • Ubercart module for Drupal 5.x versions prior to 5.x-1.10
  • Ubercart module for Drupal 6.x versions prior to 6.x-2.4

Drupal core is not affected. If you do not use the contributed Ubercart module, there is nothing you need to do.

Solution

Install the latest version:

See also the Ubercart project page.

Reported by

Fixed by

Contact

The Drupal security team can be reached at security at drupal.org or via the form at http://drupal.org/contact.

Categories: Drupal 5.x, Drupal 6.x