Commerce Authorize.Net SIM/DPM Payment Methods - Access Bypass - DRUPAL-SA-CONTRIB-2016-006

This module enables you to make credit card payments for Drupal Commerce orders via the Authorize.Net payment gateway using either their SIM (hosted payment page) or DPM (direct post method) mechanisms.

The module doesn’t sufficiently protect against the premature triggering of order completion without successful payment by the manual entry of a specially-constructed URL which contains the correct payment redirect key.

This vulnerability is mitigated by the fact that an attacker must know the format of the redirect URL and the current payment redirect key. It’s also worth noting that orders prematurely completed in this fashion will NOT record a successful payment and thus show an unpaid balance.

CVE identifier(s) issued

• A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.

Versions affected

• Commerce Authorize.Net SIM/DPM Payment Methods versions prior to 7.x-1.4.

Drupal core is not affected. If you do not use the contributed Commerce Authorize.Net SIM/DPM Payment Methods module, there is nothing you need to do.

Solution

Install the latest version:

• If you use the Commerce Authorize.Net SIM/DPM Payment Methods module for Drupal 7.x, upgrade to Commerce Authorize.Net SIM/DPM Payment Methods 7.x-1.4

Also see the Commerce Authorize.Net SIM/DPM Payment Methods project page.

Reported by

• Matt White

Fixed by

• Matt White
• Jerry Hudgins the module maintainer

Coordinated by

• Rick Manelius of the Drupal Security Team