Jump to content



Photo
- - - - -

Security issue - Possible to purchase without payment!

security issue

This topic has been archived. This means that you cannot reply to this topic.
15 replies to this topic

#1   viswablr

viswablr
  • Members
  • 3 posts

Posted 04 August 2012 - 18:09

Hello all,

I have not checked this on latest oscommerce, but I confirmed this in one of the distributions using oscommerce.

=> Add products to cart

=> Checkout and fill relevant information

=> Once the site redirects to payment gateway, manually type: http://store_name.co...out_process.php

=> Alas, the order is successful, without paying a penny!

=> If the product is downloadable, you already get links to download.

Thanks

#2   Praful Kamble

Praful Kamble
  • Members
  • 325 posts

Posted 04 August 2012 - 18:12

@viswablr

May we know the purpose of this?
Like post..hit LIKE button.

osCommerce | Joomla | WordPress | Magento | SEO | CakePHP | CI

Guaranteed Website Speed Optimization!!

#3   viswablr

viswablr
  • Members
  • 3 posts

Posted 04 August 2012 - 18:15

Hi Praful,

Purpose of what????

Please double check your installation and if this problem is there; If there, close down your site... fix the error and reopen ...

thanks...

#4   shamanix

shamanix
  • Members
  • 13 posts

Posted 05 August 2012 - 18:43

Hello all,

I have not checked this on latest oscommerce, but I confirmed this in one of the distributions using oscommerce.

=> Add products to cart

=> Checkout and fill relevant information

=> Once the site redirects to payment gateway, manually type: http://store_name.co...out_process.php

=> Alas, the order is successful, without paying a penny!

=> If the product is downloadable, you already get links to download.

Thanks


I can confirm that this works in v. 2.3.1 with the PayPal payment module but not the SagePay module... there is however a different issue where by you can obtain discounted products when using SagePay.

Has anyone been able to check the 2.3.3 updates that have been posted to Github to see if that fixes this problem?

Jandy

#5   shamanix

shamanix
  • Members
  • 13 posts

Posted 05 August 2012 - 19:09

I'd just like to add that if someone tricks the checkout in this way then, providing you have configured your payment gateway and store to send emails...

a) Customer bypasses PAYPAL: You will receive your regular 'order process' email from your store, but you WILL NOT receive a "Notification of Payment" from PayPal which should stick out enough to alert you that there is a problem with the order.

/cool.png' class='bbc_emoticon' alt='B)' /> Customer tricks SAGEPAY: You will receive an notification of Payment (as you have to actually pay something) but the total paid on the SagePay email WILL NOT match the total on the order notification sent to you by your store.

So always check your emails before processing orders...

#6   DunWeb

DunWeb

    The Censored One

  • Members
  • 13,084 posts

Posted 05 August 2012 - 19:18

A properly configured cart DOES NOT have any vulnerabilities. Check your settings if you think you have a problem.



Chris
:|: Was this post helpful ? Click the LIKE THIS button :|:

See my Profile to learn more about add ons, templates, support plans and custom coding (click here)

#7   shamanix

shamanix
  • Members
  • 13 posts

Posted 05 August 2012 - 20:18

A properly configured cart DOES NOT have any vulnerabilities. Check your settings if you think you have a problem.



Chris


I know I have a problem as I can add orders without paying using "PayPal Website Payments Standard" and additionally I can add extra products for free using "Sage Pay Form".

I've checked my settings and I am sure that I have configured them correctly yet the problem still persists. If there's any chance you could cast your eye over these settings and see if there is a glaring error or something I have missed that would be great.


Here's my PayPal config:

Enable PayPal Website Payments Standard : True
E-Mail Address : pppayment@ MyWebSiteScripts .com
Payment Zone : --none--
Set Preparing Order Status : Preparing [PayPal Standard]
Set PayPal Acknowledged Order Status: Pending
Gateway Server: Live
Transaction Method: Sale
Page Style: <blank>
Debug E-Mail Address: ppdebug@ MyWebSiteScripts .com
Sort order of display. : 30
Enable Encrypted Web Payments: True
Your Private Key: /<somepath>/my-prvkey.pem
Your Public Certificate: /<somepath>/my-pubcert.pem
PayPals Public Certificate: /<somepath>/paypal_cert_pem.txt
Your PayPal Public Certificate ID: xxxxxxxxxxxxx
Working Directory: /<somepath>/work/
OpenSSL Location: /<somepath>/openssl


And here's SagePay

Enable Sage Pay Form Module : True
Vendor Login Name: xxxxxxxxxx <provided by sagepay>
Encryption Password: xxxxxxxxxxxxxxxx <provided by sagepay>
Transaction Method: Payment
Transaction Server: Live
Vendor E-Mail: sagepay@ MyWebSiteScripts .com
Send E-Mail: Customer and Vendor
Customer E-Mail Message: <blank>
Payment Zone: --none--
Set Order Status: Pending
Sort order of display.: 10

Many thanks
Jandy

#8   DunWeb

DunWeb

    The Censored One

  • Members
  • 13,084 posts

Posted 05 August 2012 - 21:47

@shamanix

Use PayPal Standard ONLY with Certificate Credentials or use PayPal Express with API. Like I said, a properly configured cart has no vulnerabilities.


Chris
:|: Was this post helpful ? Click the LIKE THIS button :|:

See my Profile to learn more about add ons, templates, support plans and custom coding (click here)

#9   shamanix

shamanix
  • Members
  • 13 posts

Posted 05 August 2012 - 22:25

@DunWeb

What's the difference between "PayPal Standard ONLY" that you mentioned and "PayPal Website Payments Standard" and where can I find the "PayPal Standard ONLY" module (as it's not listed on my install)

I have configured my "PayPal Website Payments Standard" module as detailed by @Mort-lemur in http://forums.oscommerce.com/topic/387748-closing-the-paypal-checkout-confirmation-exploit/ Is that what you mean by Certificate Credentials?

I notice "PayPal Express Checkout" is available so will configure and try that too. Thanks!

Jandy

#10   14steve14

14steve14
  • Members
  • 3,505 posts

Posted 06 August 2012 - 06:43

@shamanix

Read the post again, the ONLY is not the name of a contribution, its explaining what you should do.
REMEMBER BACKUP, BACKUP AND BACKUP

Don't take life too seriously. no one gets out alive anyway

#11   shamanix

shamanix
  • Members
  • 13 posts

Posted 06 August 2012 - 09:10

@shamanix

Use PayPal Standard ONLY with Certificate Credentials or use PayPal Express with API. Like I said, a properly configured cart has no vulnerabilities.


Chris



I too would like a properly configured cart with no vulnerabilities, but in order to achieve that I need some guidance.
I'm trying to establish if I have installed and configured the correct payment module or if I need to download and install a different one.

So question are:

- Is "PayPal Standard" (refered to above) the same payment module as "PayPal Website Payments Standard" which is listed in modules->payment on my default system install?

- If the answer is yes then:
Does "ONLY with Certificate Credentials" (refered to above) mean setting up this module with openssl as detailed in this post: http://forums.oscomm...mation-exploit/ ?

- If the answer is yes then:
Please can you look at my configuration listed above at point #7 and point me to what I have overlooked and how to go about properly configuring it. (ignore the email addresses because they have been converted to some bizzare @ mention by the forum software)

Help appreciated, Thank you

Jandy

#12   viswablr

viswablr
  • Members
  • 3 posts

Posted 06 August 2012 - 12:35

Hi All,

I do not see any additional configuration I need to do in shopping cart.

To me, the problem more looks like a flaw in the design.....

1) if I am selling physicaly products, I can always double check order versus payment, so no problem.

2) But, if I am going to sell virtual products (Downloable SW, tickets, vouchers, etc, where the cart will automatically enable download link or provide a voucher for download), this is a SERIOUS issue.

#13   14steve14

14steve14
  • Members
  • 3,505 posts

Posted 06 August 2012 - 16:26

If you are selling downloadable products, add the super download store addon. This i believe checks for a payment before allowing the download, or changing the order status to download available. If no payment is found, the order status does not change.
REMEMBER BACKUP, BACKUP AND BACKUP

Don't take life too seriously. no one gets out alive anyway

#14 ONLINE   Harald Ponce de Leon

Harald Ponce de Leon

    Healthy Giraffe

  • Core Team
  • 4,708 posts

Posted 01 September 2012 - 08:51

=> If the product is downloadable, you already get links to download.


v2.2RC2 introduced download flags tied to the order status. Downloads are only made available depending on the order status. Downloads are disabled for the default order status (Pending) which "Set PayPal Acknowledged Order Status" is also set to by default.
Harald Ponce de Leon

#15 ONLINE   Harald Ponce de Leon

Harald Ponce de Leon

    Healthy Giraffe

  • Core Team
  • 4,708 posts

Posted 01 September 2012 - 09:46

To me, the problem more looks like a flaw in the design.....

1) if I am selling physicaly products, I can always double check order versus payment, so no problem.

2) But, if I am going to sell virtual products (Downloable SW, tickets, vouchers, etc, where the cart will automatically enable download link or provide a voucher for download), this is a SERIOUS issue.


It is not a flaw in design as the PayPal Instant Payment Notification (IPN) is used to verify the payment transaction.

Yes, with the PayPal Website Payments Standard payment module it is possible to skip the payment at PayPal and process the order through checkout_process.php. With this payment method it is not possible to verify who is accessing checkout_process.php. A check for the referrer can be added but this can be spoofed.

It is the way the PayPal Website Payments Standard feature works and affects all e-commerce solutions.

If there is no PayPal IPN message stored with the order, no payment in your PayPal account, and there is no sign of an IPN in your PayPal Account IPN History, then you can be sure the order is fake and the customer a fraud.

Downloadable products are not affected as of v2.2RC2 (from 2008) as downloads are only enabled for specific order statuses. Downloads are disabled for the default Pending order status that is used for new orders.

A more tightened and secure transaction design is available with the PayPal Express Checkout payment module.
Harald Ponce de Leon

#16 ONLINE   Harald Ponce de Leon

Harald Ponce de Leon

    Healthy Giraffe

  • Core Team
  • 4,708 posts

Posted 02 September 2012 - 11:09

I have to correct myself. I just read through the PayPal API documentation again and discovered it is possible to verify the transaction in checkout_process.php.

It is possible for PayPal to send the same parameters it sends with the IPN to checkout_process.php when the customer returns back to the store. Here we can validate the transaction and if PayPal verifies it, the order is processed as normal. If the parameters are missing or if PayPal declares the transaction invalid, the order processing is skipped and the customer is returned to the shopping cart page.

This will be included in PayPal Website Payments Standard v1.1 and osCommerce Online Merchant v2.3.4.
Harald Ponce de Leon