SA-CONTRIB-2013-040 - Commerce Skrill (Formerly Moneybookers) - Access bypass

This module integrates the Skrill online payment services with Drupal Commerce.

When processing Instant payment notifications (IPN), the “Moneybookers enterprise” payment method provided by the Commerce Skrill contributed module does not perform sufficient access checking, potentially allowing forged notifications to be accepted as valid.

The vulnerability is mitigated by the fact that it only affects the “Moneybookers enterprise” payment method.

CVE identifier(s) issued

• CVE-2013-1924

Versions affected

The “Moneybookers enterprise” payment method provided by the Commerce Skrill contributed module in all versions prior to 7.x-1.2.

Drupal core is not affected. If you do not use the contributed Commerce Skrill (Formerly Moneybookers) module, there is nothing you need to do.

Solution

Install the latest version. The “Moneybookers enterprise” payment method now requires the use of the hash security option.

• Upgrade to Commerce Skrill 7.x-1.2
• Go to the backoffice of Skrill and enable the securityHash verification following the Administration > Processing > Processing Settings section.
• Get the security token, and paste it in the Secret key field of the payment method configuration form.

Also see the Commerce Skrill (Formerly Moneybookers) project page.

Reported by

• Julien Dubreuil the module maintainer

Fixed by

• Julien Dubreuil the module maintainer
• Jonathan Sacksick the module maintainer

Coordinated by

• Klaus Purer of the Drupal Security Team