• Advisory ID: DRUPAL-SA-CONTRIB-2014-106
• Project: Commerce Authorize.Net SIM/DPM Payment Methods (third-party module)
• Version: 7.x
• Date: 2014-October-29
• Security risk: 12/25 ( Moderately Critical) AC:Complex/A:None/CI:None/II:Some/E:Theoretical/TD:All
• Vulnerability: Access bypass

Description

This module provides payment methods for the Drupal Commerce package to permit the use of the Authorize.Net payment gateway’s SIM and DPM payment protocols.

Access Bypass

The module doesn’t sufficiently protect the Drupal Commerce order number passed to the Authorize.Net payment gateway, allowing a specially modified payment POST transaction to Authorize.Net to be applied to a previous order still in the checkout state. This could allow the previous transaction to be marked as paid despite the fact that the payment applied was smaller than its outstanding balance.

CVE identifier(s) issued

• A CVE identifier will be requested, and added upon issuance, in accordance
  with Drupal Security Team processes.

Versions affected

• Commerce Authorize.Net SIM/DPM Payment Methods 7.x-1.x versions prior to 7.x-1.1.

Drupal core is not affected. If you do not use the contributed Commerce Authorize.Net SIM/DPM Payment Methods module,
there is nothing you need to do.

Solution

Install the latest version:

• If you use the Commerce Authorize.Net SIM/DPM Payment Methods module for Drupal 7.x, upgrade to Commerce Authorize.Net SIM/DPM Payment Methods 7.x-1.1

Also see the Commerce Authorize.Net SIM/DPM Payment Methods project page.

Reported by

• Vadim Mirgorod

Fixed by

• Vadim Mirgorod
• Jerry Hudgins the module maintainer

Coordinated by

• Lee Rowlands of the Drupal Security Team
• Rick Manelius of the Drupal Security Team

Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at
https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies,
writing secure code for Drupal, and
securing your site.