Jump to content

Archived

This topic is now archived and is closed to further replies.

twigster

OSCOMMERCE ORDER HACK!!!

Recommended Posts

i have spoke to a friend who i think knows alot about ssl and other things says all it does is encrypt it if you type in checkout_success.php you will go there still

Share this post


Link to post
Share on other sites

Is it not possible to add a variable to the checkout_confirmation.php page with the submit button. Something that registers a value in the database combining the session data.

 

Basically, when you hit the submit button to process the order on the checkout_confirmation.php, a value is written to the database. This value could also be linked to the particular session (so a configuration table setting could be ORDER_SUBMITTED = true/false.

 

Then, when the checkout_success.php page loads, it checks to see if that value is true. If it is, it opens and sets it back to false. If its false (i.e. the user did not submit the order in the correct way), it redirects back to the checkout_confirmation.php.

 

This does not matter then if its linking to external sites, or processing via OsCommerce. The relevant checking is being done in house by oscommerce to ensure that the button was hit and that a URL was not just entered.

 

Just my thoughts

 

Steve


My Toolbox: Crimson Editor, Adobe Photoshop CS2.0, Expression Web, Macromedia Suite 8.0, Cinema 4D, Nvu.

Share this post


Link to post
Share on other sites

Reply to my previous post.

 

I just thought, it would need to be a new table that is storing session data and the checkout true/false. The configuration table would be useless as its global and you need a value for each customer (albiet, the actually process should be extremely quick from true back to false meaning the security would be 99% there if you used a global true false)

 

Steve


My Toolbox: Crimson Editor, Adobe Photoshop CS2.0, Expression Web, Macromedia Suite 8.0, Cinema 4D, Nvu.

Share this post


Link to post
Share on other sites
Is it not possible to add a variable to the checkout_confirmation.php page with the submit button. Something that registers a value in the database combining the session data.

 

Basically, when you hit the submit button to process the order on the checkout_confirmation.php, a value is written to the database. This value could also be linked to the particular session (so a configuration table setting could be ORDER_SUBMITTED = true/false.

 

Then, when the checkout_success.php page loads, it checks to see if that value is true. If it is, it opens and sets it back to false. If its false (i.e. the user did not submit the order in the correct way), it redirects back to the checkout_confirmation.php.

 

This does not matter then if its linking to external sites, or processing via OsCommerce. The relevant checking is being done in house by oscommerce to ensure that the button was hit and that a URL was not just entered.

 

Just my thoughts

 

Steve

 

 

Unless I'm misunderstanding what you're suggesting, I cannot see how this will work. It's a relative no brainer to do this kind of thing if the checkout process is completely internal. Your solution would be just one of many and it would work fine.

 

However, I do not think this will help in the case of an external processor. In this scenario, I can click the confirmation button, be taken to the Paypal welcome screen where I am asked to login, and from there just type checkout_process.php in the location bar. Now I've passed the security and still not paid.

 

There's simply no amount of checks that can be done on the OSC site to protect against this without some sort of passing of information between the external payment processor and your store that verifies the payment process was completed.


Contributions

 

Discount Coupon Codes

Donations

Share this post


Link to post
Share on other sites
i have spoke to a friend who i think knows alot about ssl and other things says all it does is encrypt it if you type in checkout_success.php you will go there still
I did not mean ssl encryptionof the connection.

 

This is how its works (approx. I do not know all details, and it is not so easy to explain in a short note) with ideal (=Dutch payment module):

 

1) You need to create a set of (ssl) certificates that can be compared for verification.

 

2) One certificate is uploaded to the payment provider and one resides at your server.

 

3) When the payment is completed the provider sends the certificate info to the return url of your payment module.

 

4) Then the payment module checks if the certificates match (not the same, but are a matching pair).

 

5) And if they match, that is the proof that the payment really has been confirmed by the payment provider.


Please do not PM me for support, I will not respond anyway.

Share this post


Link to post
Share on other sites

how hard would it be to change the actual name to anything you likes like asdasda_asdas.php instead of checkout_process.php, how many thing would you have to change to do this because then if you have ssl it should encrypt this imformation shouldnt it

Share this post


Link to post
Share on other sites

Gotcha. I see the problem now. I was thinking along the lines of the payment processes I am installing and none of them fire to external pages, but I have seen the paypal system in action.

 

It would only be possible if a payment confirmation could be received from the external processors which allows the opening of the relevant page. That is unlikely as they will not regard this as their problem.

 

How do other carts deal with this issue. I assume this is a problem also with Zen Cart, but how does cube cart etc, solve that issue...

 

Steve


My Toolbox: Crimson Editor, Adobe Photoshop CS2.0, Expression Web, Macromedia Suite 8.0, Cinema 4D, Nvu.

Share this post


Link to post
Share on other sites

how hard would it be to change the actual name to anything you likes like asdasda_asdas.php instead of checkout_process.php, how many thing would you have to change to do this because then if you have ssl it should encrypt this imformation shouldnt it

Share this post


Link to post
Share on other sites

Just another thought. If the external page was loaded into an Iframe window, would it be possible for the OsCommerce to detect what page was active in the Iframe. i.e. so with paypal, only when the success page is opened in the Iframe with the checkout_success.php be allowed to open. I have never really messed with wrapper windows so do not know if the site opening the wrapper can detect whats happening in the wrapper window.

 

Again, this does not stop someone forcing paypal to open in a new window, but maybe error code could be created if this event does happen.

 

Alternatively, dont use payment systems that are not processed by OsCommerce (such as paypal) :)

 

Steve


My Toolbox: Crimson Editor, Adobe Photoshop CS2.0, Expression Web, Macromedia Suite 8.0, Cinema 4D, Nvu.

Share this post


Link to post
Share on other sites

(

2) One certificate is uploaded to the payment provider and one resides at your server.
B.t.w.: of course this is part of the installation process, not the payment process.

)

 

How do other carts deal with this issue. I assume this is a problem also with Zen Cart, but how does cube cart etc, solve that issue...
I am quite sure the carts themselves do not (maybe even can't?) really solve it. It is a system that the payment provider and payment module have to support in cooperation. I doubt if any other solution even exists. You need to compare two sets of (encrypted) data for it to be safe.

Please do not PM me for support, I will not respond anyway.

Share this post


Link to post
Share on other sites
This is how its works (approx. I do not know all details, and it is not so easy to explain in a short note) with ideal (=Dutch payment module):

 

1) You need to create a set of (ssl) certificates that can be compared for verification.

 

2) One certificate is uploaded to the payment provider and one resides at your server.

 

3) When the payment is completed the provider sends the certificate info to the return url of your payment module.

 

4) Then the payment module checks if the certificates match (not the same, but are a matching pair).

 

5) And if they match, that is the proof that the payment really has been confirmed by the payment provider.

:blush: That was a bit over simplified

 

I just found some info at the paypal site about what I meant to say:

Encrypted Website Payments

 

Encrypted Website Payments is a simple way to add secure e-commerce functionality to your website and emails. Using encryption enhances the security of website payments by decreasing the possibility that a 3rd party could manipulate the data in your button code.

(source https://www.paypal.com/us/cgi-bin/webscr?cm...-intro-outside)

 

And technical: info at

https://www.paypal.com/us/cgi-bin/webscr?cm...echview-outside


Please do not PM me for support, I will not respond anyway.

Share this post


Link to post
Share on other sites

i think i have a solution to this. how easy would it be to have your site send an email confirmation link to peoples emails so that we can at least have there email address as you can track them by that. but you would have to put an hotmail, yahoo and google mail block on it.

Share this post


Link to post
Share on other sites

that would turn people away from your commerce site.

people want to view, order and pay in the least amount of time.

making them activate thier account from email will make that process even longer.

Share this post


Link to post
Share on other sites

For people who don't leave their site, I think this can just be solved by adding

tep_session_register('confirmation');

after

echo tep_draw_form('checkout_confirmation', $form_action_url, 'post', 'onsubmit="return check_agree(this);"');

Then in checkout_process, ABOVE include('includes/application_top_process.php'); add

if (!session_is_registered('confirmation')) {
 header( 'Location: http://yoursite.com/checkout_shipping.php' );
}

Then, in your application_top file, add

if (tep_session_is_registered('confirmation')) {
tep_session_unregister('confirmation');
 }

 

I'd also make a note in configure.php and filenames.php (right underneath checkout_shipping) that if the domain or checkout_shipping is changed, you also need to change checkout_process. That's just me, though. Note that I can't test this right now, so I don't guarantee it working.


Always BACK UP your files and your database before making any changes. Before asking questions, check out the Knowledge Base. Check out the contributions to see if your problem's solved there. Search the forums.

 

Useful threads: Store Speed Optimization How to make a horrible shop Basics for design change How to search the forums

 

Useful contributions: Easypopulate Fast, Easy Checkout Header Tag Controller

Share this post


Link to post
Share on other sites

but then this doesnt solve any problems for people using the purchase without account contribution....

Share this post


Link to post
Share on other sites

Anyone have any latest updates on this checkout problem?


Upon receiving fixes and advice, too many people don't bother to post updates informing the forum of how it went. Until of course they need help again on other issues and they come running back!

 

Why receive the information you require in good faith for free, only to then have the attitude to ignore the people who gave it to you?

 

There's no harm in saying, 'Thanks, it worked'. On the contrary, it creates a better atmosphere.

 

CHOOCH

Share this post


Link to post
Share on other sites
For people who don't leave their site, I think this can just be solved by adding
tep_session_register('confirmation');

after

echo tep_draw_form('checkout_confirmation', $form_action_url, 'post', 'onsubmit="return check_agree(this);"');

Then in checkout_process, ABOVE include('includes/application_top_process.php'); add

if (!session_is_registered('confirmation')) {
 header( 'Location: http://yoursite.com/checkout_shipping.php' );
}

Then, in your application_top file, add

if (tep_session_is_registered('confirmation')) {
tep_session_unregister('confirmation');
 }

 

I'd also make a note in configure.php and filenames.php (right underneath checkout_shipping) that if the domain or checkout_shipping is changed, you also need to change checkout_process. That's just me, though. Note that I can't test this right now, so I don't guarantee it working.

 

there is no application_top_process.php and you cannot manipulate sessions before including application_top.php as no session is started yet.

 

futhermore, if you add a session variable registration after a form declaration it is registered immediately, not just after the form is submitted. So a simple page load would already register that variable.


Treasurer MFC

Share this post


Link to post
Share on other sites
Unless I'm misunderstanding what you're suggesting, I cannot see how this will work. It's a relative no brainer to do this kind of thing if the checkout process is completely internal. Your solution would be just one of many and it would work fine.

 

However, I do not think this will help in the case of an external processor. In this scenario, I can click the confirmation button, be taken to the Paypal welcome screen where I am asked to login, and from there just type checkout_process.php in the location bar. Now I've passed the security and still not paid.

 

There's simply no amount of checks that can be done on the OSC site to protect against this without some sort of passing of information between the external payment processor and your store that verifies the payment process was completed.

 

well, I have very limited knowledge of these payment gateways but I believe most require a return url to your site which they redirect to after completion.

 

You might use that url to communicate a unique transaction id back and forth.

 

However, that would mean no form submit to the gateway as it is done today (then you need to add that transaction id to the form and it can be seen in the html) but order confirmation should redirect back to itself and in its top you have to generate a unique transaction id, save it, attach it to the return url and post the entire payment info via fsockopen() constructions.

 

Then in checkout_process you should check the returning url for that transaction id and compare it to your saved one before processing.


Treasurer MFC

Share this post


Link to post
Share on other sites

Hi Amanda, I tend to agree with what your saying there, basically, we all know we can view the source and get the returning URL easy enough, but we need some kind of checking on the process or sucess page, to make sure that the customer is coming from the returning url and not just typing it into the browser, is their a way to code the process or success page to check the returning url, I know all addresses will need to be added depending on the payment methods used, but surely this can be done, as this can be a major security breach.

 

Does anyone know if MS3 has solved this, or is the problem still their on the new beta release?


Stuart

Share this post


Link to post
Share on other sites
Does anyone know if MS3 has solved this, or is the problem still their on the new beta release?

Apparantly MS3 doesn't resolve the issue.

 

I have heard from a senior member (Vger) sometime back that the only resolution is a complete re-write of the checkout process (like zencart have done) but it is a huge task... thats what I was told some months back, that's why I came back to this thread asking if there any updates.

 

For downloaded products, osC is a nightmare as it is impossible to vet payment before download commences if that isthe way the store is set up.....

 

.... this is a serious flaw that really must be addressed in MS3


Upon receiving fixes and advice, too many people don't bother to post updates informing the forum of how it went. Until of course they need help again on other issues and they come running back!

 

Why receive the information you require in good faith for free, only to then have the attitude to ignore the people who gave it to you?

 

There's no harm in saying, 'Thanks, it worked'. On the contrary, it creates a better atmosphere.

 

CHOOCH

Share this post


Link to post
Share on other sites

Dear All

 

I have read through the post. And I thought the problem is easily solve with Paypal's IPN.

 

You specify a specific address in your paypal account an address in your website to talk to for IPN. This website (as I believe) is not posted via http submission. So hackers does not know this address. So the scenario is this:

 

1. Customer A ordered an item from you.

2. The order is set to pending. And the customer cannot download the specific item.

3. Paypal will do an IPN to your website with a url which is stated when you setup your paypal account which the hacker does not know.

4. Order becomes successful and customer A is notified via email.

 

I believe this is a simple solution to the hack problem in paypal but requires you have a premiere or business account with Paypal. Any comments?

 

I have a more complex solution using SSL but I haven't tried it yet.

 

Regards,

Geoffrey

Share this post


Link to post
Share on other sites
you can hack before you even get to paypal though as you hack at confirmation page, you dont have to go in to paypal

 

Hi,

 

In the Paypal IPN, you can set your order status to Pending until there is an IPN notification in which you change it to DELIVERED.

 

May I also add with Paypal IPN (in the latest IPN module release by OSCommerce), it even does a verification by communicating with paypal after receiving the IPN notification and ensuring the exact variables came from paypal. Paypal will return VERIFIED if the exact variables came from it.

 

Did I understand your comment exactly?

 

Regards

Geoffrey

Share this post


Link to post
Share on other sites

×