Commerce Authorize.Net SIM/DPM Payment Methods - Access Bypass - DRUPAL-SA-CONTRIB-2016-006

By Drupal Security Team on 17 Feb 2016 at 17:56 UTC

Advisory ID: DRUPAL-SA-CONTRIB-2016-006
Project: Commerce Authorize.Net SIM/DPM Payment Methods (third-party module)
Version: 7.x
Date: 2016-February-17
Security risk: 15/25 ( Critical) AC:Complex/A:None/CI:Some/II:Some/E:Theoretical/TD:All
Vulnerability: Access bypass

Description

This module enables you to make credit card payments for Drupal Commerce orders via the Authorize.Net payment gateway using either their SIM (hosted payment page) or DPM (direct post method) mechanisms.

The module doesn't sufficiently protect against the premature triggering of order completion without successful payment by the manual entry of a specially-constructed URL which contains the correct payment redirect key.

This vulnerability is mitigated by the fact that an attacker must know the format of the redirect URL and the current payment redirect key. It's also worth noting that orders prematurely completed in this fashion will NOT record a successful payment and thus show an unpaid balance.

CVE identifier(s) issued

A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.

Versions affected

Commerce Authorize.Net SIM/DPM Payment Methods versions prior to 7.x-1.4.

Drupal core is not affected. If you do not use the contributed Commerce Authorize.Net SIM/DPM Payment Methods module, there is nothing you need to do.

Solution

Install the latest version:

If you use the Commerce Authorize.Net SIM/DPM Payment Methods module for Drupal 7.x, upgrade to Commerce Authorize.Net SIM/DPM Payment Methods 7.x-1.4

Also see the Commerce Authorize.Net SIM/DPM Payment Methods project page.