This module enables you to take payments through the Global Payments / Realex Hosted Payment Page (HPP), either via a lightbox iframe or via a full-page redirect.
When the gateway is configured with the redirect payment method, the module doesn't sufficiently verify the authenticity of the payment response returned by Global Payments.
The lightbox payment method validates the signature and is not affected, so sites that use the lightbox payment method are not affected.
Install the latest version:
- If you use the commerce_realex module <=3.0.1, upgrade to commerce_realex 3.0.2.
The redirect payment response is now cryptographically verified against the merchant shared secret .
Sites that cannot update immediately should disable this payment gateway, until the update can be applied.
- Greg Knaddison (greggles) of the Drupal Security Team
- Drew Webber (mcdruid) of the Drupal Security Team
- Juraj Nemec (poker10) of the Drupal Security Team