Payment modules security problem!

[jmroth]

Hi there,

I have noticed this behavior with the PayPal module, but it might very well be present with other payment modules. In fact, I don't see how it could not.

 

First, a little background: I rely on the order status to trigger certain things, like when my (custom) order status "Paid" is set, the shipping details go to the logistics company etc.

To that end there must not be any possibility for the end user to change that status (i.e. hack!)

 

Now what is doable, at least using PayPal with IPN is the following:

Since we go from checkout_confirmation.php to Paypal which (optionally) redirects us back to checkout_success.php or such, thus checkout_process.php is never called, which is good, as the script in the ext/ directory sets the new order status.

However, instead of paying via Paypal, the technically skilled customer could just call the checkout_process.php manually, which would call the before_process() function of the payment module, which would set the status to "Paid" or "Complete" or whatever you have as PAYPAL_[...]_ORDER_STATUS_ID.

 

Of course that is not acceptable since, as mentioned, I need the order status as my absolute and secure indicator of what is going on with the order. So how is this supposed to work at all?? Seems like an inherent security flaw to me.

 

But, I am not just complaining, I also have a solution which works for me:

 

In checkout_process.php I am only calling before_process() (and whatever follows) if the payment module allows me to do so (this is set in the allowed_process variable).

if ($GLOBALS[$payment->selected_module]->allow_process === true) {
 // load the before_process function from the payment modules
 $payment_modules->before_process();
} else {
 // the case where the logic is completely inside the payment module
 die();
}

 

Any thoughts?

[jmroth]

It seems the discussion about this is taking place here:

http://www.oscommerce.com/forums/index.php?showtopic=290075