Line 264:

<?php
  if ($rate > 0) {
    $quotes[] = array('rate' => $rate, 'format' => uc_currency_format($rate), 'option_label' => $method['tablequote']['quote']['accessorials'][0]);
  } else {
    $quotes[] = array('rate' => $rate, 'format' => uc_currency_format($rate), 'option_label' => $method['tablequote']['quote']['accessorials'][0]);
  }
?>

Whether $rate > 0 or not, the same code is executed!
Thus uc_tablequote doesn't check any limit and may return an absolutly wrong quote.
This is a critical bug that can lead to security issues.

Comments

anrikun’s picture

There's a patch that fixes this issue here:
http://drupal.org/node/743050#comment-2836530

anrikun’s picture

Assigned: Unassigned » anrikun
Status: Active » Needs review
anrikun’s picture

Status: Needs review » Fixed

This is fixed in 6.x-2.x-dev.

Status: Fixed » Closed (fixed)

Automatically closed -- issue fixed for 2 weeks with no activity.