[IT-SecNots] [Security-news] Commerce Authorize.Net SIM/DPM Payment Methods - Access Bypass - DRUPAL-SA-CONTRIB-2016-006

[security-news AT drupal.org]

View online: https://www.drupal.org/node/2670632

   * Advisory ID: DRUPAL-SA-CONTRIB-2016-006
   * Project: Commerce Authorize.Net SIM/DPM Payment Methods [1]
     (third-party module)
   * Version: 7.x
   * Date: 2016-February-17
   * Security risk: 15/25 ( Critical)
     AC:Complex/A:None/CI:Some/II:Some/E:Theoretical/TD:All [2]
   * Vulnerability: Access bypass

-------- DESCRIPTION
---------------------------------------------------------

This module enables you to make credit card payments for Drupal Commerce
orders via the Authorize.Net payment gateway using either their SIM (hosted
payment page) or DPM (direct post method) mechanisms.

The module doesn't sufficiently protect against the premature triggering of
order completion without successful payment by the manual entry of a
specially-constructed URL which contains the correct payment redirect key.

This vulnerability is mitigated by the fact that an attacker must know the
format of the redirect URL and the current payment redirect key. It's also
worth noting that orders prematurely completed in this fashion will *NOT*
record a successful payment and thus show an unpaid balance.


-------- CVE IDENTIFIER(S) ISSUED
--------------------------------------------

   * /A CVE identifier [3] will be requested, and added upon issuance, in
     accordance with Drupal Security Team processes./

-------- VERSIONS AFFECTED
---------------------------------------------------

   * Commerce Authorize.Net SIM/DPM Payment Methods versions prior to 7.x-1.4.

Drupal core is not affected. If you do not use the contributed Commerce
Authorize.Net SIM/DPM Payment Methods [4] module, there is nothing you need
to do.

-------- SOLUTION
------------------------------------------------------------

Install the latest version:

   * If you use the Commerce Authorize.Net SIM/DPM Payment Methods module for
     Drupal 7.x, upgrade to Commerce Authorize.Net SIM/DPM Payment Methods
     7.x-1.4 [5]

Also see the Commerce Authorize.Net SIM/DPM Payment Methods [6] project page.

-------- REPORTED BY
---------------------------------------------------------

   * Matt White [7]

-------- FIXED BY
------------------------------------------------------------

   * Matt White [8]
   * Jerry Hudgins [9] the module maintainer

-------- COORDINATED BY
------------------------------------------------------

   * Rick Manelius [10] of the Drupal Security Team

-------- CONTACT AND MORE INFORMATION
----------------------------------------

The Drupal security team can be reached at security at drupal.org or via the
contact form at https://www.drupal.org/contact [11].

Learn more about the Drupal Security team and their policies [12], writing
secure code for Drupal [13], and  securing your site [14].

Follow the Drupal Security Team on Twitter at
https://twitter.com/drupalsecurity [15]


[1] https://www.drupal.org/project/commerce_authnet_simdpm
[2] https://www.drupal.org/security-team/risk-levels
[3] http://cve.mitre.org/
[4] https://www.drupal.org/project/commerce_authnet_simdpm
[5] https://www.drupal.org/node/2670212
[6] https://www.drupal.org/project/commerce_authnet_simdpm
[7] https://www.drupal.org/user/266840
[8] https://www.drupal.org/user/266840
[9] https://www.drupal.org/user/96266
[10] https://www.drupal.org/user/680072
[11] https://www.drupal.org/contact
[12] https://www.drupal.org/security-team
[13] https://www.drupal.org/writing-secure-code
[14] https://www.drupal.org/security/secure-configuration
[15] https://twitter.com/drupalsecurity

_______________________________________________
Security-news mailing list
Security-news AT drupal.org
Unsubscribe at https://lists.drupal.org/mailman/listinfo/security-news