OSCOMMERCE ORDER HACK!!!

[robertgouveia]

so how do you inplement this into my site

[geoffrey_sy]

so how do you inplement this into my site

 

Hi Robert,

 

Just install the OSCommerce Paypal IPN module 1.3.

 

Regards,

Geoffrey

[oldshoe]

Hi,

 

In the Paypal IPN, you can set your order status to Pending until there is an IPN notification in which you change it to DELIVERED.

 

May I also add with Paypal IPN (in the latest IPN module release by OSCommerce), it even does a verification by communicating with paypal after receiving the IPN notification and ensuring the exact variables came from paypal. Paypal will return VERIFIED if the exact variables came from it.

 

Did I understand your comment exactly?

 

Regards

Geoffrey

 

Hi Geoffrey,

 

What if you get to the paypal login page and then edit the parameters in the URL, changing the price for example.

Something like:

https://www.paypal.com/cgi-bin/webscr?amoun...amp;cmd=_xclick

 

The hacker could set it to a lower price and make a real payment. Paypal would send the IPN notification but it can't check the correct price.

 

You would then sell things for a ridiculous price or chose to go through the hassle of refunding the money (+fees) - after the hassle of double-checking orders one by one.

 

Do you know any secure way around it?

Thanks,

Erik

[porpoise1954]

chmodding your folders isn't going to solve it.

i (and many others) have posted about this before and there is no known fix. verify your orders before sending stuff out is all you can do.

 

 

I spotted the potential for lots of erroneous orders where the payment authorisation was not verified, so I modded $checkout_process.php (and some other bits) so that unless the correct authorisation code comes back from the card-clearance provider, the order does not even process and does not obtain an order number and does not even leave the customer's basket. It did require a fair bit of hacking but I've been working in conjunction with our clearance service provider (PayOffshore/Paylink) to produce a plug-in module for osC. I'm sure the order processing bit could fairly easily be modified to work with any other clearance system - utilizing their postback data instead.

 

Once we've finished tidying up the code (getting rid of the debugging code etc.) the intention is to post it as a contirbution.

 

Steve

[oldshoe]

I spotted the potential for lots of erroneous orders where the payment authorisation was not verified, so I modded $checkout_process.php (and some other bits) so that unless the correct authorisation code comes back from the card-clearance provider, the order does not even process and does not obtain an order number and does not even leave the customer's basket. It did require a fair bit of hacking but I've been working in conjunction with our clearance service provider (PayOffshore/Paylink) to produce a plug-in module for osC. I'm sure the order processing bit could fairly easily be modified to work with any other clearance system - utilizing their postback data instead.

 

Once we've finished tidying up the code (getting rid of the debugging code etc.) the intention is to post it as a contirbution.

 

Steve

 

Hi Steve,

 

Would that cover price and quantity hacking as well?

 

A scenario like this:

1) Hacker would proceed normally until he's sent to Paylink page.

2) He would then hack the URL parameters to change the price or quantity that will be sent to Paylink.

3) Hacker makes a real payment.

4) Paylink wouldn't have means to check it's a hacked order. It would then process the payment and send you the authorisation code.

 

Even if you manually realise it's a strange order you'd have to go through the hassle of reimbursing the money.

 

Any comments?

Thanks,

Erik

[porpoise1954]

Hi Steve,

 

Would that cover price and quantity hacking as well?

 

A scenario like this:

1) Hacker would proceed normally until he's sent to Paylink page.

2) He would then hack the URL parameters to change the price or quantity that will be sent to Paylink.

3) Hacker makes a real payment.

4) Paylink wouldn't have means to check it's a hacked order. It would then process the payment and send you the authorisation code.

 

Even if you manually realise it's a strange order you'd have to go through the hassle of reimbursing the money.

 

Any comments?

Thanks,

Erik

 

 

I can't see how it would be possible without hacking the actual file that sends the data to Paylink (even assuming they knew what it was) and/or the database, as there is no way to inject values between checkout_process and the actual file that collects the data from the database and sends it to Paylink even if you knew what the variables were, and once you arrive at Paylink, it's too late because you are on a secure form for card data entry. We don't even see the card details - we pay Paylink for obtaining authorisation from the card issuer, so there is no need for us to collect/store that data (that way we carry no risk).

 

Then, the postback data is sent to 2 seperate locations for comparison/verification 1)back to checkout_process, 2) back to postback_poc (that might get renamed as we've discovered it's too much of a tongue twister in our conversations ;-) ), so there's no way for them to bypass Paylink and hack data coming back either - as the data from the hacked return would not match the data returned to the 2nd location direct from Paylink's secure server. I think we've pretty much covered all the bases between us. Once I've had time to tidy up all the files, and Nigel at Paylink and myself have compared notes and the code has been finalised, the intention is to post it as a contribution so that others may utilise their very competitive services. (I get no commission or anything for promoting them - I just think they are very competitive and, once we've finalised the code and contributed it to the community, I think it will probably be pretty much the most secure option available).

[david05]

Didn't even know this was a problem until I stumbled across this thread. This is an absolute priority whether the checkout process needs a complete rewrite or not. We can't continue with a product that has serious flaw in it, its just not acceptable on any level. Am still very surprised this isn't being discussed by everyone, it is just that important.

 

Other comments?

[david05]

No?

[graphicore]

I try to recreate the same problem here... But it doesn't seem to be affecting my site. Even the downloadable content.

 

I only have two checkout payment methods: Cashier check or paypal IPN.

 

When I try to replicate the hack it does not allow anything since the payment have to be cleared manually through the admin or either a generated code back from paypal is needed to change the order status.

[graphicore]

I try to recreate the same problem here... But it doesn't seem to be affecting my site. Even the downloadable content.

 

I only have two checkout payment methods: Cashier check or paypal IPN.

 

When I try to replicate the hack it does not allow anything since the payment have to be cleared manually through the admin or either a generated code back from paypal is needed to change the order status.

 

Dang!.... Yes it happends..... I was wrong on my previous post.

[graphicore]

Well After flyrting a little more I found a small way to keep my downloable content not available trhough this hack:

 

First... I have the download controller contribution set where the order status valua HAS to be 2 or higher. This is good since every order on checkout_process is set to 1 (so no download is available when jumping to the checkout_success).

 

So in Paypal IPN i set the preparing order status to: Default (pending) which sets the order to 1.

then I change the paypal acknowledge order status to: processed through paypal which is above 1. then the download is available on redirection from paypal.

 

So far, (unless I find something else) is working as it should because even if anyone interrupts the order and jump to the order_success the order remains set as 'Pending'.

[david05]

Does anyone know if this issue has been addressed 'officially' yet, bit disappointed to return to this thread after a couple of months and find almost no activity here. Is it just me or is this a MAJOR flaw with osC that has been fixed in commercial versions.

[GemRock]

...find almost no activity here...

Correct as in my view there is no need of any activity here - it is not a 'flaw' in osC, it is a 'flaw' in some payment modules - they are being addressed in different way in the relavent payment module thread on the osc forums. One example, if you use protx payment module then there is no chance of such a 'flaw' happenning. The key is encryption. Or you prove me wrong?

 

Ken

[david05]

maybe a list of payment modules not suseptible to this 'flaw' would be useful. i personally use WorldPay and PayPal.

[sheltonjb]

Hi Guys,

 

Just wondering, is this only a problem with nochex payments?

 

thanks

[clrob11]

Hi Guys,

 

Just wondering, is this only a problem with nochex payments?

 

thanks

 

 

I have tried this and the hack at first appears to work however I use Protx althouth the sale does show in the admin area it does not go through to protx hence no money has been paid no delivery. Only way for me to protect myself is to check Protx first.

 

Chris

[izcrab]

Well After flyrting a little more I found a small way to keep my downloable content not available trhough this hack:

 

First... I have the download controller contribution set where the order status valua HAS to be 2 or higher. This is good since every order on checkout_process is set to 1 (so no download is available when jumping to the checkout_success).

 

So in Paypal IPN i set the preparing order status to: Default (pending) which sets the order to 1.

then I change the paypal acknowledge order status to: processed through paypal which is above 1. then the download is available on redirection from paypal.

 

So far, (unless I find something else) is working as it should because even if anyone interrupts the order and jump to the order_success the order remains set as 'Pending'.

 

can you please tell me how you did this step by step, am new to osc and would like to setup downloadable products after payment.

 

Thanking you in advance.

 

Richard.

[chooch]

There has been much speculation about how to 'fix' this problem.

 

Basically the simplest way to tackle this problem is to use your chosen method of payment (paypal/nochex/protx) and see if the hack is affecting your store, if it is you then have to modify your store for each payment contribution added - so try to stick to one.

 

I know the hack does cause a threat in Paypal and Nochex, but it does NOT in Paypal WPP. I have been told the HSBC payment is unaffected too.

 

A key bit of advice: If using Paypal WPP with Express Checkout please note the hack is still a threat, but if you do not add the Express Checkout you can't be hacked via the checkout_process. The WPP is around £20/$20 per month so may not appeal to all but it is more important for stores with downloadable products to consider the cost v/s security issue because goods that need shipping can always be cross referenced with the payment/merchant processor.

[Getting Smarter Slowly]

Anything new ever come about with this issue?