Jump to content
  • Checkout
  • Login
  • Get in touch

osCommerce

The e-commerce.

OSCOMMERCE ORDER HACK!!!


twigster

Recommended Posts

I just received a helpful email from someone proving this flaw to me on my new site. He offers a simple code fix based on preventing direct access of the file, based on using:

 

if (!$HTTP_SERVER_VARS['HTTP_REFERER'])

More instructions at http://www.westhost.co.uk/osc_freecontributions.php

Can people offer their opinions on whether this is a valid fix?

Cheers.

 

Someone suggested that earlier.

 

Is it not possible to put the referrer into a if else clause? So if the user went direct to checkout_process.php they would be re-directed to another page.

 

Even if that meant adding an additional page before checkout_process.php, like order_processing.php so the referrer would have to come from there.

 

I don't have a live store yet so I am stabbing in the dark.

 

Oh, that'll be me then! B)

Link to comment
Share on other sites

  • Replies 143
  • Created
  • Last Reply

Hi,

 

got the email as well.

 

but first I got a sale.

 

when I went to look at the sale ( I was very excited - it is a new store - need any fancy dress or costumes? ) it was marked as :

 Neil Westlake ?44.99 05/16/2006 13:41:19 Preparing [PayPal IPN]

 

which means it hadn't gone through paypal and no payment was received. so i went to write him an email saying sorry but your order wasn't succesfull ...

 

Before I finshed I got an offer from them to fix my site 'for a small fee of ?30'.

 

While I agree this could be very anoying I don't see it as a major security problem for items that need delivery.

 

for items that can be download I would sugest you just add a check into the download area to ensure the status has moved on to the correct state, 'pending' for paypal.

 

would guess that would be pretty simple.

 

If anyone wants will try and delve into the download code - don't use it myself

 

Thanks

Link to comment
Share on other sites

i tried that fix and it doesnt seem to work. i mean i still completed a checkout, so it doesnt seem to have done anything

Link to comment
Share on other sites

for items that can be download I would sugest you just add a check into the download area to ensure the status has moved on to the correct state, 'pending' for paypal.

 

What about the customers who want immediate downloads after payment? They do not want to wait for the admin to manually allow access setting statuses.. the customers wants their immediate downloads.

 

I agree that physical goods can be protected because the store owner has to check their paypal/nochex/authorizenet etc etc account to see if payment was received before sending the item out by post - but downloads is a major disaster arwea with this hack!

 

This is a major stumbling block for osC and it's users

Upon receiving fixes and advice, too many people don't bother to post updates informing the forum of how it went. Until of course they need help again on other issues and they come running back!

 

Why receive the information you require in good faith for free, only to then have the attitude to ignore the people who gave it to you?

 

There's no harm in saying, 'Thanks, it worked'. On the contrary, it creates a better atmosphere.

 

CHOOCH

Link to comment
Share on other sites

Hi,

 

My download site is still in development but I cannot get past the checkout confirmation page unless I choose confirm order. This is because I have must agree to terms installed which requires the customer to check the radio and submit that radio button via the confirm order. Tried to get to checkout process (javascript on) without radio checked and got an error; with radio checked...still got an error. Turned javascript off...same results. If I don't check the radio AND hit confirm order I get stuck on the confirmation screen.

 

Not sure if this would be something that is worth a try for others. Could be "agree to anything"...I agree not to scam your site!! LOL

 

Sheri

Link to comment
Share on other sites

Is this really a problem with osCommerce as a whole or just certain payment modules? I've tried duplicating this with PayPal WPP and with the credit card option either get stuck in a loop, redirected to checkout_shipping.php with an error generated by MVS, or redirected to checkout_payment.php with an error generated by WPP. I've tried it every way I can think of including the ways it's described in this thread, but I can't force an order through without paying for it.

 

The closest I can come is by going through PayPal Express Checkout, getting to checkout_confirmation.php, and then typing in checkout_process.php in the address bar. In this scenario the order is logged in admin and the payment is processed through PayPal. That's not a hack, it's the user manually typing in a URL instead of hitting the confirm button, but with the same results.

Do, or do not. There is no try.

 

Order Editor 5.0.6 "Ultra Violet" is now available!

For support or to post comments, suggestions, etc, please visit the Order Editor support thread.

Link to comment
Share on other sites

Has anyone had any luck with the fix westhost sent out?

 

Locate the following lines of code:

// load selected payment module

require(DIR_WS_CLASSES . 'payment.php');

$payment_modules = new payment($payment);

// load the selected shipping module

require(DIR_WS_CLASSES . 'shipping.php');

$shipping_modules = new shipping($shipping);

require(DIR_WS_CLASSES . 'order.php');

$order = new order;

and insert the following straight after:

//Stop direct access to this file - Added by Neil Westlake (Westhost.co.uk) [email protected]

if (!$HTTP_SERVER_VARS['HTTP_REFERER']){

// Send an email as a safe-guard against faliure

$email_message = 'This order failed at the final stage, maybe a checkout hack attempt. The customers name is ' . $order->customer['firstname'] . ' ' . $order->customer['lastname'] .'. There telephone number is ' . $order->customer['telephone'] . ' and email address is ' . $order->customer['email_address'];

tep_mail(STORE_OWNER, STORE_OWNER_EMAIL_ADDRESS, 'Order Rejection', $email_message, STORE_OWNER, STORE_OWNER_EMAIL_ADDRESS);

// Redirect the user to the checkout payment page with an error

$error = 'A problem has occured whilst processing your payment, the store owner has been notified and should be in contact soon';

tep_redirect(tep_href_link(FILENAME_CHECKOUT_PAYMENT, 'error_message=' . urlencode($error), 'SSL'));

exit;

}

Now when a customer tries to go directly to the checkout_process.php file they will be immediately thrown back to the checkout payments page and you will be notified of there details.

If you have any problems implementing these changes, or experience problems please email [email protected]

Steve

Link to comment
Share on other sites

Has anyone had any luck with the fix westhost sent out?

 

Locate the following lines of code:

// load selected payment module

require(DIR_WS_CLASSES . 'payment.php');

$payment_modules = new payment($payment);

// load the selected shipping module

require(DIR_WS_CLASSES . 'shipping.php');

$shipping_modules = new shipping($shipping);

require(DIR_WS_CLASSES . 'order.php');

$order = new order;

and insert the following straight after:

//Stop direct access to this file - Added by Neil Westlake (Westhost.co.uk) [email protected]

if (!$HTTP_SERVER_VARS['HTTP_REFERER']){

// Send an email as a safe-guard against faliure

$email_message = 'This order failed at the final stage, maybe a checkout hack attempt. The customers name is ' . $order->customer['firstname'] . ' ' . $order->customer['lastname'] .'. There telephone number is ' . $order->customer['telephone'] . ' and email address is ' . $order->customer['email_address'];

tep_mail(STORE_OWNER, STORE_OWNER_EMAIL_ADDRESS, 'Order Rejection', $email_message, STORE_OWNER, STORE_OWNER_EMAIL_ADDRESS);

// Redirect the user to the checkout payment page with an error

$error = 'A problem has occured whilst processing your payment, the store owner has been notified and should be in contact soon';

tep_redirect(tep_href_link(FILENAME_CHECKOUT_PAYMENT, 'error_message=' . urlencode($error), 'SSL'));

exit;

}

Now when a customer tries to go directly to the checkout_process.php file they will be immediately thrown back to the checkout payments page and you will be notified of there details.

If you have any problems implementing these changes, or experience problems please email [email protected]

 

 

didnt work for me

Link to comment
Share on other sites

Has anyone had any luck with the fix westhost sent out?

 

Locate the following lines of code:

// load selected payment module

require(DIR_WS_CLASSES . 'payment.php');

$payment_modules = new payment($payment);

// load the selected shipping module

require(DIR_WS_CLASSES . 'shipping.php');

$shipping_modules = new shipping($shipping);

require(DIR_WS_CLASSES . 'order.php');

$order = new order;

and insert the following straight after:

//Stop direct access to this file - Added by Neil Westlake (Westhost.co.uk) [email protected]

if (!$HTTP_SERVER_VARS['HTTP_REFERER']){

// Send an email as a safe-guard against faliure

$email_message = 'This order failed at the final stage, maybe a checkout hack attempt. The customers name is ' . $order->customer['firstname'] . ' ' . $order->customer['lastname'] .'. There telephone number is ' . $order->customer['telephone'] . ' and email address is ' . $order->customer['email_address'];

tep_mail(STORE_OWNER, STORE_OWNER_EMAIL_ADDRESS, 'Order Rejection', $email_message, STORE_OWNER, STORE_OWNER_EMAIL_ADDRESS);

// Redirect the user to the checkout payment page with an error

$error = 'A problem has occured whilst processing your payment, the store owner has been notified and should be in contact soon';

tep_redirect(tep_href_link(FILENAME_CHECKOUT_PAYMENT, 'error_message=' . urlencode($error), 'SSL'));

exit;

}

Now when a customer tries to go directly to the checkout_process.php file they will be immediately thrown back to the checkout payments page and you will be notified of there details.

If you have any problems implementing these changes, or experience problems please email [email protected]

 

 

It appears to work, it throws them back to order confimation and sends you an email with their disclosed details. It's better than nothing I suppose ;)

Link to comment
Share on other sites

Is this really a problem with osCommerce as a whole or just certain payment modules?...

I agree with your suggestion.

 

I use a modified SECPay module and try as I might, I find it's not possible to hack round this to submit an order without paying. Attempting to do this results in the module detecting an incorrect digest key and it throws the client back to the start.

 

The other payment system I have is cheque. This is so simple (it basically just sticks an entry in the order to say that I need to wait for a cheque) that there really is nothing to hack.

 

...so yes, I think this problem is confined to individual modules with dodgy coding in them.

 

Rich.

Link to comment
Share on other sites

I have found different levels of problems with different modules. Here is a list of what I've found:

 

Paypal - Not really a problem as you can easily see that the IPN hasn't updated.

Nochex - This allows the order to go through and look as if payment was received. An issue for stores taking a large amount of orders or download sites.

SecPay - Same as Nochex

HSBC secure e-Payments - No problems as the user is always bounced back to the payments page.

ProTX Direct & Form - Same as HSBC

Cheque / COD / CC Module - More of an annoyance, but who's gonna process an order without receiving payment.

 

Neil Westlake

Link to comment
Share on other sites

actually yes it works. i guess somehow as i pasted the code it was all commented out and thats why it wasnt working. i double checked it and its good now. seems to block the hack as far as manually typing the url into the browser window.. hopefully there arnt other ways of a hacker to redirect the browser to that page and bypass the hack fix.

Link to comment
Share on other sites

Ok just discovered that my modification doesn't work with SecPay. You get paid but for some reason SecPay's referring URL is blank which causes the customer to be sent back to the payment page.

 

I don't have access to a Secpay account so I can't work on a solution for this.

 

Neil Westlake

Link to comment
Share on other sites

I've just replicated the same thing with epdq, confirm order, get to the epdq screen and then go direct to checkout_process and weyhey, a free order.

shit....

Link to comment
Share on other sites

Ok just discovered that my modification doesn't work with SecPay. You get paid but for some reason SecPay's referring URL is blank which causes the customer to be sent back to the payment page.

 

I don't have access to a Secpay account so I can't work on a solution for this.

 

Neil Westlake

 

you can use there test account of

 

User secpay

pass secpay

 

If you login to there site with them details it will show if the transaction has worked or not

Steve

Link to comment
Share on other sites

Locate the following lines of code:

// load selected payment module

require(DIR_WS_CLASSES . 'payment.php');

$payment_modules = new payment($payment);

// load the selected shipping module

require(DIR_WS_CLASSES . 'shipping.php');

$shipping_modules = new shipping($shipping);

require(DIR_WS_CLASSES . 'order.php');

$order = new order;

and insert the following straight after:

//Stop direct access to this file - Added by Neil Westlake (Westhost.co.uk) [email protected]

if (!$HTTP_SERVER_VARS['HTTP_REFERER']){

// Send an email as a safe-guard against faliure

$email_message = 'This order failed at the final stage, maybe a checkout hack attempt. The customers name is ' . $order->customer['firstname'] . ' ' . $order->customer['lastname'] .'. There telephone number is ' . $order->customer['telephone'] . ' and email address is ' . $order->customer['email_address'];

tep_mail(STORE_OWNER, STORE_OWNER_EMAIL_ADDRESS, 'Order Rejection', $email_message, STORE_OWNER, STORE_OWNER_EMAIL_ADDRESS);

// Redirect the user to the checkout payment page with an error

$error = 'A problem has occured whilst processing your payment, the store owner has been notified and should be in contact soon';

tep_redirect(tep_href_link(FILENAME_CHECKOUT_PAYMENT, 'error_message=' . urlencode($error), 'SSL'));

exit;

}

Now when a customer tries to go directly to the checkout_process.php file they will be immediately thrown back to the checkout payments page and you will be notified of there details.

If you have any problems implementing these changes, or experience problems please email [email protected]

 

This works a treat for me, just tried again and got thrown back to checkout_payment and got an email saying someone tried to hack the site :)

 

Cheers

 

stubbsyt

Link to comment
Share on other sites

For those of you think you have sorted the issue out with the 'westhost' fix, you have NOT fixed it....

 

Yes you get bounced back and the error shows up BUT what if you DON'T apply the hack and actually confirm the checkout and go to your payment module... once the payment is received and you get re-directed back to the store you go back to the 'bounced' page and the items are still in your cart and the store DOES NOT update the order.

 

You do however get an email from your paypal (or alike) account stating a payment was made but the store does not send out an email or update orders.

 

Test this yourself by buying an item from your store but use a payment module like paypal. The issue is a little more complicated.

 

By the sounds of it the HSBC and Protx modules are the safest bet to avoid this but before people panic, everything must be put in to perspective.

 

For downloadable products, I can't really offer any advice as such.. yet. Customers want immediate downloads (songs/videos/text/documents etc) when they pay for it. If you set the staus to pending and manually deliver the downloads you are protected financially but depending on the structure of the store you may never have a repeat customer if you delay the transaction being set to delivered! Catch 22

 

But for tangiable goods stores who use 'hackable' payment modules I guess vigilance is the key. You must check the payment module account by logging in and manually checking if payment was received.

 

There are a couple of top people working on this so someone somewhere may have a suitable answer soon but at the moment it does look likely that store owners may be able to offer just one payment module and close the hack in checkout_process. That is something that may be applied to any one payment module of your choice... I think.

Upon receiving fixes and advice, too many people don't bother to post updates informing the forum of how it went. Until of course they need help again on other issues and they come running back!

 

Why receive the information you require in good faith for free, only to then have the attitude to ignore the people who gave it to you?

 

There's no harm in saying, 'Thanks, it worked'. On the contrary, it creates a better atmosphere.

 

CHOOCH

Link to comment
Share on other sites

This is not going to be an easy problem to resolve. The idea of modifying each Payment Module is not practical, and needs resolving within the checkout process itself. Unfortunately the only way I can see this being done is to completely rewrite the whole of the checkout process - and I don't see that happening with MS2.

 

Vger

Link to comment
Share on other sites

Steve thanks for the heads up with the Secpay test account.

 

Anyone that is using my fix but are still having problems with Secpay can try this:

 

On the first line change this:

 

if (!$HTTP_SERVER_VARS['HTTP_REFERER']){

 

to:

 

if (!$HTTP_SERVER_VARS['HTTP_REFERER'] && substr($_ENV['HTTP_USER_AGENT'], 0, strpos($_ENV['HTTP_USER_AGENT'], '/')) != 'Java'){

 

That should solve the Secpay problem now.

 

Can someone please test it and let me know the outcome.

 

Neil Westlake

Link to comment
Share on other sites

if (!$HTTP_SERVER_VARS['HTTP_REFERER']){

Using the referrer is not a relaible fix.

 

I run my browser with referrer switched off. This 'fix' would prevent me from buying anything from your shop.

 

Rich.

Link to comment
Share on other sites

if (!$HTTP_SERVER_VARS['HTTP_REFERER']){

Using the referrer is not a relaible fix.

 

I run my browser with referrer switched off. This 'fix' would prevent me from buying anything from your shop.

 

Rich.

 

 

You also have the ability to change the referrer to ANYTHING you wish, including the content it's supposed to have.

 

This is NOT a fix. It does nothing more than make it impossible for people to order if their browsers don't send a correct referrer string, and it does nothing to protect you from people who want to bypass this.

Contributions

 

Discount Coupon Codes

Donations

Link to comment
Share on other sites

Steve thanks for the heads up with the Secpay test account.

 

Anyone that is using my fix but are still having problems with Secpay can try this:

 

On the first line change this:

 

if (!$HTTP_SERVER_VARS['HTTP_REFERER']){

 

to:

 

if (!$HTTP_SERVER_VARS['HTTP_REFERER'] && substr($_ENV['HTTP_USER_AGENT'], 0, strpos($_ENV['HTTP_USER_AGENT'], '/')) != 'Java'){

 

That should solve the Secpay problem now.

 

Can someone please test it and let me know the outcome.

 

Neil Westlake

 

I have tested it and can confirm it works Neil. This is the code i have got.

 

The message you get it "A problem has occured whilst processing your payment, the store owner has been notified and should be in contact soon"

 

// load selected payment module

require(DIR_WS_CLASSES . 'payment.php');

$payment_modules = new payment($payment);

 

// load the selected shipping module

require(DIR_WS_CLASSES . 'shipping.php');

$shipping_modules = new shipping($shipping);

 

require(DIR_WS_CLASSES . 'order.php');

$order = new order;

 

//Stop direct access to this file - Added by Neil Westlake (Westhost.co.uk) [email protected]

if (!$HTTP_SERVER_VARS['HTTP_REFERER'] && substr($_ENV['HTTP_USER_AGENT'], 0, strpos($_ENV['HTTP_USER_AGENT'], '/')) != 'Java'){

 

// Send an email as a safe-guard against faliure

$email_message = 'This order failed at the final stage, maybe a checkout hack attempt. The customers name is ' . $order->customer['firstname'] . ' ' . $order->customer['lastname'] .'. There telephone number is ' . $order->customer['telephone'] . ' and email address is ' . $order->customer['email_address'];

tep_mail(STORE_OWNER, STORE_OWNER_EMAIL_ADDRESS, 'Order Rejection', $email_message, STORE_OWNER, STORE_OWNER_EMAIL_ADDRESS);

 

// Redirect the user to the checkout payment page with an error

$error = 'A problem has occured whilst processing your payment, the store owner has been notified and should be in contact soon';

tep_redirect(tep_href_link(FILENAME_CHECKOUT_PAYMENT, 'error_message=' . urlencode($error), 'SSL'));

exit;

}

Steve

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...