- Security: Payment Information Leak in Test Harness Controller (see 0.3.2)
- Security: XML Injection in DPSAdapter API Requests (see 0.3.2)
- Security: DPS Payment Information Leak in Test Harness Controller
Since 2010, the payment module included a "test harness" controller (commit, which was not correctly secured against public access. It allowed a broad range of operations against the configured DPS API, including listing payments incl. amounts and transaction details, refunding and authenticate existing payments, create new payments. It does not expose the actual payment API credentials, customer or credit card details. The vulnerability also doesn't allow directing payments to a different account.
This affects all recent versions of the module, but is limited to the DPS/PaymentExpress payment provider.
We have removed the functionality from the module. If you are using the functionality, please port it into your own codebase and ensure the controller is secured to ADMIN permissions. As a hotfix, you can also remove code/Harness.php to secure the installation. In this case, don't forget to flush the manifest cache by appending ?flush=1 to any SilverStripe URL.
Reporter: Nicolaas Thiemen-Francken
- Security: XML Injection in DPSAdapter API Requests
The doPayment(), postConnect() and doDPSHostedPayment() methods on DPSAdapter did not sanitize
method arguments before constructing an XML request from it, and passing it on to the DPS API.
Since these arguments are typically derived from user input, the method is considered unsafe.
- Security: Information Leak in DPSAdapter (see 0.3.1)
- Security: Information Leak in DPSAdapter
Severity: Important
Description: Exposure of DPS credentials through web URLs, routed through the DPSAdapter controller.
Impact: An attacker might be able to simulate payments using live payment gateway credentials. With knowledge of the DPS transaction number, he could also operate on existing payments. In case credentials are reused for other logins, these might get compromised as well. The DPS PXPost and PXPay APIs don't expose customer data and truncates credit card data, so the impact is limited.