Jump to content
Sign in to follow this  
peterolin

ALERT! Severe security hole in payment handling

Recommended Posts

We've discovered what appears to be a severe security flaw in the payment process of osCommerce.

 

After having developed a simple card payment module, we've found a very simple way to bypass it.

 

By some very basic cut-and-paste operations, a buyer can easily fill their shopping cart with goods, and then by-pass the payment module, and proceed to having their order completed. [i'm reluctant to post a detailed description of the exploit at this moment]

 

In the osC-Admin-interface, the order seems to be fully paid by the specified method.

 

This seems so basic, that I'm convinced that others must have stumbled across it before, and solved the problem.

 

I've tried to use this exploit in a few osCommerce-shops around the world, and it seems to work fine with for example PayPal and WorldPay modules.

 

So, what I'm wondering about is:

a) Are all shop keepers aware of this, and checking payments with their payment handlers before shipping? Or are they relying on the osCommerce Admin interface?

b) Is there some magic that should be done in payment modules, that we and others have overlooked? If so, what?

c) Is there a patch for this, or some documentation that describes to how to make a more robust payment module?

 

 

Kind Regards,

Peter Olin

Share this post


Link to post
Share on other sites

I think a clarification is needed. The exploit that we've found is not the one pointed out in the thread linked to above.

 

What we've found is a way to entirely bypass the payment code.

 

When the buyer is on the checkout confirmation page (checkout_confirmation.php), if the buyer then pastes the URL to the checkout confirmation page (checkout_process.php), the order is placed without even having to pass the payment at all.

 

My guess is that the payment modules are poorly written, but I don't really know in what way, and how they should be written properly.

 

/Peter Olin

Share this post


Link to post
Share on other sites

That is the same principle though, and is being addressed on the technical side for the MS3 release to further help the store administrator in verifying their orders.


:heart:, osCommerce

Share this post


Link to post
Share on other sites

Ok, so there are no code solution to this issue atm, the shopowner need to check their orders manually with whatever payment-company they have implemented in the shop...?

 

Just for clarification :)

Share this post


Link to post
Share on other sites

Are there any workarounds or solutions to this offered by the community available?

 

I've seen (the results of) a payment module that does not have this problem - any ideas about how they handled it?

 

When is MS3 expected?

Share this post


Link to post
Share on other sites
I think a clarification is needed. The exploit that we've found is not the one pointed out in the thread linked to above.

 

What we've found is a way to entirely bypass the payment code.

 

When the buyer is on the checkout confirmation page (checkout_confirmation.php), if the buyer then pastes the URL to the checkout confirmation page (checkout_process.php), the order is placed without even having to pass the payment at all.

 

My guess is that the payment modules are poorly written, but I don't really know in what way, and how they should be written properly.

 

/Peter Olin

What we do is to reconcile payments made at our payment gateway with the order no. and its total and only then do we send the material. This way we try to remain alert against any wrong doings.


You teach best what you most need to learn

(Richard Bach - Illusions)

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

×