Jump to content

Archived

This topic is now archived and is closed to further replies.

twigster

OSCOMMERCE ORDER HACK!!!

Recommended Posts

I Have just managed to hack my website and I believe I am not the only person with this problem.

 

When buying an item from my shop I went through the normal checkout procedure.

 

I selected the postage method and then the nochex method for payment.

 

When hitting the nochex credit/debit card payment screen I typed the following in the URL address bar.

 

https://www.mydomain.com/catalog/checkout_process.php

 

This then took me to the order confirmation screen and added the items I ordered to the database without having paid for them.

 

Has this problem been spotted before and is there a fix for it as I can't go live with my shop until this has been fixed.

 

Regards

Mike

Share this post


Link to post
Share on other sites
I Have just managed to hack my website and I believe I am not the only person with this problem.

 

When buying an item from my shop I went through the normal checkout procedure.

 

I selected the postage method and then the nochex method for payment.

 

When hitting the nochex credit/debit card payment screen I typed the following in the URL address bar.

 

https://www.mydomain.com/catalog/checkout_process.php

 

This then took me to the order confirmation screen and added the items I ordered to the database without having paid for them.

 

Has this problem been spotted before and is there a fix for it as I can't go live with my shop until this has been fixed.

 

Regards

Mike

 

Have you set permissions correctly on your website? I've just tried to replicate the same error with my example store and dont appear to get any problems at all....

Share this post


Link to post
Share on other sites
Have you set permissions correctly on your website? I've just tried to replicate the same error with my example store and dont appear to get any problems at all....

 

What permissions do I need to set to get this problem fixed?

 

Many Thanks

Share this post


Link to post
Share on other sites

Just the basic ones it advises in the installation file......

 

Rename the catalog/install folder or delete it.

Reset the permissions on /catalog/includes/configure.php to 644 (if you are still getting the warning message at the top set configure.php to 444 which is read only - this happens on some servers that have been updated for security reasons).

Set the permissions on /catalog/images directory to 777.

Reset the permissions on /catalog/admin/includes/configure.php to 644.

Create the dir /catalog/admin/backups and set the permissions to 777.

Set the permissions on /catalog/admin/images/graphs directory to 777.

You need to .htaccess your /catalog/admin directory so that it is password protected. You can use the password manager in your server admin area like cpanel.

Share this post


Link to post
Share on other sites

chmodding your folders isn't going to solve it.

i (and many others) have posted about this before and there is no known fix. verify your orders before sending stuff out is all you can do.

Share this post


Link to post
Share on other sites
Just the basic ones it advises in the installation file......

 

Rename the catalog/install folder or delete it.

Reset the permissions on /catalog/includes/configure.php to 644 (if you are still getting the warning message at the top set configure.php to 444 which is read only - this happens on some servers that have been updated for security reasons).

Set the permissions on /catalog/images directory to 777.

Reset the permissions on /catalog/admin/includes/configure.php to 644.

Create the dir /catalog/admin/backups and set the permissions to 777.

Set the permissions on /catalog/admin/images/graphs directory to 777.

You need to .htaccess your /catalog/admin directory so that it is password protected. You can use the password manager in your server admin area like cpanel.

 

 

same problem with my catalog, thanks very very much for highlighting this, if you have any suggestions please do share. i think it's a big problem

Share this post


Link to post
Share on other sites

I just decided to take a look and did the same thing, I got to the checkout confirmation page before typing in 'checkout_process' - the same thing happened.

 

You just get to the checkout confirmation page and don't hit the continue button, you simply go type in the hack and it works.

 

Yes, store owners should log in to their paypal accounts etc before releasing goods to make sure of the payment but there has to be a fix somewhere


Upon receiving fixes and advice, too many people don't bother to post updates informing the forum of how it went. Until of course they need help again on other issues and they come running back!

 

Why receive the information you require in good faith for free, only to then have the attitude to ignore the people who gave it to you?

 

There's no harm in saying, 'Thanks, it worked'. On the contrary, it creates a better atmosphere.

 

CHOOCH

Share this post


Link to post
Share on other sites

I just checked this out - went as far as checkout_confirmation.php and changed the address to checkout_success.php and did go to the checkout_success.php page. However, no order was recorded in the admin panel, the shopping cart did not get updated, and no order emails got fired off.

 

I haven't been able to replicate the original problem - of getting as far as the Pay Pal payment screen, then changing the url in the address bar and coming back to checkout_success.php with the order having been processed. All that I got was the Shopping Cart page saying that the cart was empty, with no order recorded.

 

I don't know what happens with No-chex as I don't use them.

 

Vger

Share this post


Link to post
Share on other sites

NoChex probably posts some information to checkout_process.php. (Though OSC probably ignores this since it's not strictly necessary for completing an order). Checking for a "return value" from Nochex in checkout_process.php would verify the customer completed checkout on a third party site.


Contributions

 

Discount Coupon Codes

Donations

Share this post


Link to post
Share on other sites

A simple solution may be to rename checkout_process.php to a non-meaningful name such as xyzabc.php and then renaming the appropriate filename definitions to match in filename.php.

This way only you know the name of the actual checkout process file. Everyone else has to guess.

 

existing:

define('FILENAME_CHECKOUT_PROCESS', 'checkout_process.php');

 

new:

define('FILENAME_CHECKOUT_PROCESS', 'xyzabc.php');

 

 

If they guess correctly, they deserve to get the item for free :)

Share this post


Link to post
Share on other sites
A simple solution may be to rename checkout_process.php to a non-meaningful name such as xyzabc.php and then renaming the appropriate filename definitions to match in filename.php.

This way only you know the name of the actual checkout process file. Everyone else has to guess.

 

existing:

define('FILENAME_CHECKOUT_PROCESS', 'checkout_process.php');

 

new:

define('FILENAME_CHECKOUT_PROCESS', 'xyzabc.php');

If they guess correctly, they deserve to get the item for free :)

 

This won't stop any competent frauster. Though most wouldn't bother, they can find out the name of the checkout_process file if they place a real order, and thereafter can place orders under multiple accounts without going through the payment processing.

 

Also, if you have a payment type that doesn't require the customer to leave your site (such as COD) they can proceed as far as the confirmation screen and get the URL that posts to. From that point, they can return to the payment screen, switch to another form of payment, and skip to checkout_process.


Contributions

 

Discount Coupon Codes

Donations

Share this post


Link to post
Share on other sites

the best thing is to have temporary url's that are produced by the database , each time a buyer buys a item there is a new url for the checkout _success.php and the url is auto-deleted after he moves on , or leaves the site.

 

http://w3schools.invisionzone.com/index.php?showtopic=4598

 

i got these suggestions from another forum, but dont know how to accomplish it, may be someone else can, and put an end to this issue

Share this post


Link to post
Share on other sites
the best thing is to have temporary url's that are produced by the database , each time a buyer buys a item there is a new url for the checkout _success.php and the url is auto-deleted after he moves on , or leaves the site.

 

http://w3schools.invisionzone.com/index.php?showtopic=4598

 

i got these suggestions from another forum, but dont know how to accomplish it, may be someone else can, and put an end to this issue

 

Payment modules like Nochex (I assume) and Paypal require a static URL for when a customer returns to your site from their checkout.


Contributions

 

Discount Coupon Codes

Donations

Share this post


Link to post
Share on other sites
I just checked this out - went as far as checkout_confirmation.php and changed the address to checkout_success.php and did go to the checkout_success.php page. However, no order was recorded in the admin panel, the shopping cart did not get updated, and no order emails got fired off.

 

I haven't been able to replicate the original problem - of getting as far as the Pay Pal payment screen, then changing the url in the address bar and coming back to checkout_success.php with the order having been processed. All that I got was the Shopping Cart page saying that the cart was empty, with no order recorded.

 

I don't know what happens with No-chex as I don't use them.

 

Vger

 

Regardless of the payment module selected, the hack is still there.

 

If you add an item to the cart and continue to with checkout, it should take you to the checkout_shipping page. Once shipping is selected and 'continue' selected, it should take you to the checkout_payment page. At this point you can select any method of payment you like (paypal, nochex, authorizenet - anything)

 

Once selected and 'continue' is pressed it should take you to the checkout_confirmation page - at this point all you have to is type in URL/checkout_process.php and the transaction is completed. Even the emails are sent as if a normal real order had taken place.

 

The order is also updated in admin and the method of payment you selected shows up as the method of payment.

 

The only way of distinguishing the fraudulant transaction from a bonafide one, is the fact that the payment module (ie paypal/nochex/authorizenet etc) hasn't sent you an email stating payment was sent!

 

This hack is an absolute disaster for osC-sites that have downloadable items


Upon receiving fixes and advice, too many people don't bother to post updates informing the forum of how it went. Until of course they need help again on other issues and they come running back!

 

Why receive the information you require in good faith for free, only to then have the attitude to ignore the people who gave it to you?

 

There's no harm in saying, 'Thanks, it worked'. On the contrary, it creates a better atmosphere.

 

CHOOCH

Share this post


Link to post
Share on other sites

not sure if this helps anyone, but I tried to duplicate this scenario and when I type the checkout_success.php in the browser at the checkout_confirmation.php, I get the shopping cart.php screen with an empty cart and no order generated. I use PayPal WPP , but do not use nochex.

Share this post


Link to post
Share on other sites

Why type checkout_success.php?

 

You need to re-read my previous post and note where and when to type checkout_process.php regardless of the payment module used


Upon receiving fixes and advice, too many people don't bother to post updates informing the forum of how it went. Until of course they need help again on other issues and they come running back!

 

Why receive the information you require in good faith for free, only to then have the attitude to ignore the people who gave it to you?

 

There's no harm in saying, 'Thanks, it worked'. On the contrary, it creates a better atmosphere.

 

CHOOCH

Share this post


Link to post
Share on other sites

I have rechecked this ,and "Yes" it is a problem - and not just with osCommerce either!

 

Vger

Share this post


Link to post
Share on other sites
I have rechecked this ,and "Yes" it is a problem - and not just with osCommerce either!

 

Vger

I just successfully "swiped" one of my downloadable products this way!

 

What can be done - is there a particular Paypal mod that will prevent this?

Share this post


Link to post
Share on other sites
Why type checkout_success.php?

 

You need to re-read my previous post and note where and when to type checkout_process.php regardless of the payment module used

 

is it not possible to set a transaction code in a transaction table at the top of confirmation when confirm is selected and have checkout_process check for that entry and remove it if present and refuse execution if it is not ?


Treasurer MFC

Share this post


Link to post
Share on other sites

×