• Advisory ID: DRUPAL-SA-CONTRIB-2010-064
  • Project: Ubercart MIGS Payment Gateway (third-party module)
  • Versions: 6.x
  • Date: 2010-Jun-16
  • Security risk: Critical
  • Exploitable from: Remote
  • Vulnerability: Web Parameter Tampering

The Ubercart MIGS Payment Gateway module provides support for the MIGS 3rd-party payment gateway used by ANZ, Commonwealth Bank, Bendigo Bank, and various other banks worldwide for payment processing.

This module was susceptible to web parameter tampering which allowed users to bypass paying the full amount due on checkout.

The amount paid was correctly recorded against the order, but certain site configurations might allow purchases to be delivered despite incomplete payment.

This has been resolved in the latest release, which also incorporates other features to match bank requirements.

Versions Affected

  • Ubercart MIGS Payment Gateway for Drupal 6.x prior to uc_migs-6.x-1.2.

Drupal core is not affected. If you do not use the contributed Ubercart MIGS module, there is nothing you need to do.

Solution

Install the latest version:

See also the Ubercart MIGS Gateway project page.

Reported by

Chris Burgess, the uc_migs maintainer.

Fixed by

Chris Burgess

Contact

The security contact for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact.