Voting starts in March for the Drupal Association Board election.
- Advisory ID: DRUPAL-SA-CONTRIB-2010-064
- Project: Ubercart MIGS Payment Gateway (third-party module)
- Versions: 6.x
- Date: 2010-Jun-16
- Security risk: Critical
- Exploitable from: Remote
- Vulnerability: Web Parameter Tampering
The Ubercart MIGS Payment Gateway module provides support for the MIGS 3rd-party payment gateway used by ANZ, Commonwealth Bank, Bendigo Bank, and various other banks worldwide for payment processing.
This module was susceptible to web parameter tampering which allowed users to bypass paying the full amount due on checkout.
The amount paid was correctly recorded against the order, but certain site configurations might allow purchases to be delivered despite incomplete payment.
This has been resolved in the latest release, which also incorporates other features to match bank requirements.
- Ubercart MIGS Payment Gateway for Drupal 6.x prior to uc_migs-6.x-1.2.
Drupal core is not affected. If you do not use the contributed Ubercart MIGS module, there is nothing you need to do.
Install the latest version:
- If you use uc_migs for Drupal 6.x upgrade to uc_migs-6.x-1.2.
See also the Ubercart MIGS Gateway project page.
Chris Burgess, the uc_migs maintainer.
The security contact for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact.