Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
By Drupal Security Team on
- Advisory ID: DRUPAL-SA-CONTRIB-2014-087
- Project: Drupal Commerce (third-party module)
- Version: 7.x
- Date: 2014-September-10
- Security risk: 13/25 ( Moderately Critical) AC:Basic/A:None/CI:Some/II:None/E:Theoretical/TD:All
- Vulnerability: Information Disclosure
Description
Drupal Commerce is used to build eCommerce websites and applications of all sizes.
The commerce_order module can be used to create new user accounts where email addresses are used as user names. Since user names are not considered private information in Drupal this is an information disclosure of email addresses.
This vulnerability is mitigated by the fact that the commerce_checkout module must be enabled with the default rule configuration enabled that creates new user accounts when an anonymous user completes the checkout process.
CVE identifier(s) issued
- CVE-2014-9025
Versions affected
- Drupal Commerce 7.x-1.x versions prior to 7.x-1.10.
Drupal core is not affected. If you do not use the contributed Drupal Commerce module,
there is nothing you need to do.
Solution
Drupal Commerce 1.10 includes an update function that will change all user names on the site that look like email addresses. This can be a disruptive process for some sites and therefore must be enabled explicitly by the update administrator. If you don't run the default update function you need to make sure yourself that user names are not valid email addresses.
To enable the username cleaning update function, you must set the commerce_checkout_run_update_7103 variable to TRUE before running update.php or drush updb: You can either use $conf['commerce_checkout_run_update_7103'] = TRUE; in settings.php or drush vset commerce_checkout_run_update_7103 1.
Then install the latest version:
- If you use the Drupal Commerce module for Drupal 7.x, upgrade to Drupal Commerce 7.x-1.10
In case you don't want to apply the default update function you can just run update.php without the variable and the update function will be skipped.
Also see the Drupal Commerce project page.
Reported by
- Damien Tournoud of the Drupal Security Team
Fixed by
- Klaus Purer of the Drupal Security Team
Coordinated by
- Klaus Purer of the Drupal Security Team
- Greg Knaddison of the Drupal Security Team
- Ben Jeavons of the Drupal Security Team
Contact and More Information
The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.
Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.
