28 replies to this topic

[motorsep]

This is pretty serious. Someone was able to right-click on Confirm button checking out with PayPal and simply corrected price value, saved file and checked out (opera and chrome issue). How to fix?! Thanks.

Edited by motorsep, 17 June 2012 - 12:46 AM.

[DunWeb]

@motorsep

I checked this with Chrome and could not replicate the issue you stated.  I do not use Opera so I could not test it.  Are you using a standard installation or a template site ?



Chris

[motorsep]

I am using standard install. Here are the steps to reproduce (the "attacker" sent me these):

http://i062.radikal.ru/1206/c7/99e8f94bc005.png
http://s017.radikal.ru/i427/1206/80/7bf1e6b97b67.png
http://s019.radikal.ru/i637/1206/72/fb382df95632.png

So anyone can change the values because the data isn't passed to PayPal securely.

Edited by motorsep, 17 June 2012 - 10:39 PM.

[MrPhil]

That's interesting. I could well imagine that any application where the cost data is passed directly from the browser to any payment system (such as PayPal) could be modified in such a way as to fake the cost data. All it would take would be to use Firebug or the built-in equivalent in other browsers to modify "hidden" form data before it's sent, and you've just sold something for pennies on the dollar. Is there anything to send a checksum or hash (generated on the server) so that PayPal could detect that the numbers are inconsistent? Does osC send the data directly to PayPal without going through the browser's HTML? Obviously, osC can detect such fraud by comparing numbers, but what is the recourse when that's already been sent to PayPal? Would a merchant be penalized for canceling sales and refunding payments?

Long ago, this sort of thing (altering costs in a GET string) was something we were warned about in HTML class, that a fraudster could simply send their own GET string with their own numbers back to our server, and we needed to verify numbers (check price against the database price, etc.). It sounds like even with hidden POST data, that fraudsters have the capability to insert their own values as desired. The only way to avoid this would be for osC (at the server) to talk directly to PayPal, and not send anything through the browser. Is it done this way already? I would hope so, as it's been possible for a long time to save a page's HTML in a file, alter it (e.g., hidden POST fields), and presumably send it on. The alternative would be to require osC (server) to confirm the numbers before PayPal finalizes the transaction.

[Mort-lemur]

This is quite worrying,

I tried it on my sites, made an order of around £10.00, amended the amount to £0.01 prior to submission as described above.

The order was placed, the Paypal IPN gave a good result to the site, the order shows the correct value in admin and yet I only paid £0.01 for the order. - the only saving grace, is that the paypal IPN module I use kept the payment status at Pending as the full amount had not been received.

I can't comment on how paypal express or standard would deal with this, or for that matter any of the other payment modules

Is there any way to fix this? as I must admit I dont always check the order value to the paypal payment.

Thanks

[Mort-lemur]

One thing I also forgot to mention is that both as a store owner, and the mischievious customer I receive emails stating that the order has been made - to the correct value!

Thanks

[multimixer]

I wonder how it happens that checkout_confirmation.php has that hidden fields for the values.

The regular checkout_process.php does not need this kind of hidden values, it takes fresh data from the order class

The only hidden field in checkout_confirmation.php is about the order comments.

So this is not a osCommerce problem in general, but a whole of some customization or addon

[Mort-lemur]

Ok I dont think I have that degree of customisation on my checkout confirmation page.

Does anyone have an almost stock OSC 2.2 store I can try this on?

Thanks

[burt]

Some payment modules make use of hidden form elements and it would be these that could be caught in this way.
There is not a lot that can be done, other than to check the payment amount and the order mount are the same (manually).

Or, even better; don't use payment modules that use hidden form fields.

Edited by burt, 22 June 2012 - 06:23 PM.

[Mort-lemur]

Yea looked at other payment methods - EPDQ, Bank Transfer, Cheque etc

Looks like this is only with paypal payments - well on my sites anyway!

Thanks

[burt]

I think, though I have not checked...paypal_standard (the one packaged with 2.3.1) would be OK.

[Mort-lemur]

No I tried that one on my development site - that has hidden fields as well

[burt]

Ah OK.  I had a feeling they were encrypted,  but obviously not!

[Biancoblu]

Does this happen with Paypal Express as well or just with paypal standard?

[Mort-lemur]

Having read through the paypal details for setting up a site with paypal - it looks like it is a requirement to have hidden fields to be able to use paypal.

I wonder if this could be exploited on non osc sites - I may take a look at that....

[Mort-lemur]

OK,

I just went to the OSC Sponsorship page, where I selected the 30 Euro option for sponsorship, displayed the hidden fields as shown below, and changed the 30 Euro to 1 Euro - sure enough when I pressed submit I was taken to paypal where I was being billed for 1 Euro.

So this is a problem / possible exploit for all sites using paypal

Attached Files

•  OSC_Hidden.jpg   66.23K   15 downloads

Edited by Mort-lemur, 22 June 2012 - 09:17 PM.

[Mort-lemur]

I think the answer lies here : https://cms.paypal.com/us/cgi-bin/?cmd=_render-content&content_ID=developer/e_howto_html_encryptedwebpayments#id08A3I0P017Q

But that is beyond me unless someone puts it in simple terms.

Thanks

[Biancoblu]

Hidden fields can be encrypted (I use paypal buttons on a NON-osc site and could choose the option to encrypt them when creating the actual button in the paypal account).

As for the osc shops, there is a setting in the paypal standard module: "enable encrypted web payments", I haven't had time yet to try/test this, but the solution may lie there. I believe you're also meant to request API credentials from your paypal account, go to profile>my selling tools>API access. I am not sure however where to enter the API certificate in shop admin, in fact in the paypal standard module we have "your private key", "your public certificate", "paypals public certificate", "your paypal public certificate ID".
If anyone knows how to set this up, please help.

[burt]

http://forums.oscommerce.com/topic/287153-paypal-ipn-how-to-generate-your-encryption-certs/

I knew I recalled something about encryption.  

In essence, install openssl, create the "key", create the "public certificate" using the key
Login to your paypal and go;
profile > my selling preferences > encrypted payment settings" (it's right at the bottom of the page)

Click "add".  Upload the PUBLIC cert you made.  Follow the instructions.

Now you should have all the data/files needed to set the payments_standard to true.

[Biancoblu]

Thanks for that link Gary.
I'm probably missing something dead obvious but I am still not sure at all what needs to be installed and where.
I have downloaded my API credentials and was given an RSA private key and a certificate. I also found where to download Paypals public certificate. Is that the info that needs to be entered for encrypted payments?