SA-CONTRIB-2014-106 – Commerce Authorize.Net SIM/DPM Payment Methods – Access Bypass

Description

This module provides payment methods for the Drupal Commerce package to permit the use of the Authorize.Net payment gateway’s SIM and DPM payment protocols.

Access Bypass

The module doesn’t sufficiently protect the Drupal Commerce order number passed to the Authorize.Net payment gateway, allowing a specially modified payment POST transaction to Authorize.Net to be applied to a previous order still in the checkout state. This could allow the previous transaction to be marked as paid despite the fact that the payment applied was smaller than its outstanding balance.

CVE identifier(s) issued

  • A CVE identifier will be requested, and added upon issuance, in accordance
    with Drupal Security Team processes.

Versions affected

  • Commerce Authorize.Net SIM/DPM Payment Methods 7.x-1.x versions prior to 7.x-1.1.

Drupal core is not affected. If you do not use the contributed Commerce Authorize.Net SIM/DPM Payment Methods module,
there is nothing you need to do.

Solution

Install the latest version:

Also see the Commerce Authorize.Net SIM/DPM Payment Methods project page.

Reported by

Fixed by

Coordinated by

Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at
https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies,
writing secure code for Drupal, and
securing your site.

Drupal version: 

Leave a Reply