- Advisory ID: DRUPAL-SA-CONTRIB-2014-106
- Project: Commerce Authorize.Net SIM/DPM Payment Methods (third-party module)
- Version: 7.x
- Date: 2014-October-29
- Security risk: 12/25 ( Moderately Critical) AC:Complex/A:None/CI:None/II:Some/E:Theoretical/TD:All
- Vulnerability: Access bypass
Description
This module provides payment methods for the Drupal Commerce package to permit the use of the Authorize.Net payment gateway’s SIM and DPM payment protocols.
Access Bypass
The module doesn’t sufficiently protect the Drupal Commerce order number passed to the Authorize.Net payment gateway, allowing a specially modified payment POST transaction to Authorize.Net to be applied to a previous order still in the checkout state. This could allow the previous transaction to be marked as paid despite the fact that the payment applied was smaller than its outstanding balance.
CVE identifier(s) issued
- A CVE identifier will be requested, and added upon issuance, in accordance
with Drupal Security Team processes.
Versions affected
- Commerce Authorize.Net SIM/DPM Payment Methods 7.x-1.x versions prior to 7.x-1.1.
Drupal core is not affected. If you do not use the contributed Commerce Authorize.Net SIM/DPM Payment Methods module,
there is nothing you need to do.
Solution
Install the latest version:
- If you use the Commerce Authorize.Net SIM/DPM Payment Methods module for Drupal 7.x, upgrade to Commerce Authorize.Net SIM/DPM Payment Methods 7.x-1.1
Also see the Commerce Authorize.Net SIM/DPM Payment Methods project page.
Reported by
Fixed by
- Vadim Mirgorod
- Jerry Hudgins the module maintainer
Coordinated by
- Lee Rowlands of the Drupal Security Team
- Rick Manelius of the Drupal Security Team
Contact and More Information
The Drupal security team can be reached at security at drupal.org or via the contact form at
https://www.drupal.org/contact.
Learn more about the Drupal Security team and their policies,
writing secure code for Drupal, and
securing your site.