Jump to content
  • Checkout
  • Login
  • Get in touch

osCommerce

The e-commerce.

How to hack Oscommerce...


carryG

Recommended Posts

There are many different solutions to this problem.

 

1. A modification needs to be made to the checkout_process.php which checks if a certain variable value was passed back from Paypal or not.

If yes, the order went through -> send customer to checkout_success. If not, the order did not go through -> send customer back to checkout_payment

with notification message.

 

2. You can use the download controller contribution and MANUALLY switch order statuses to "Allow Download" while having them initially "Pending".

If you are offering instant downloads and if someone places an order at 4 AM in the morning, this may not be the most suitable solution for you.

 

3. Paypal IPN should put an end to this "hack" also, if properly configured to work with downloable products, it should work similiar to solution 1)

 

4. Paypal WPP and Xpress Checkout puts an end to it. At least the sites I tested were not "hackable" with this URL switch trick.

 

5. Renaming of checkout_process

 

This should work fine if there is no way for users to determine the new file name. So I'd recommend this for people who use the default Paypal

module exclusively and do not have any other options present i.e. Check / Money, In-store pickup which would allow a user to see the new filename.

Link to comment
Share on other sites

1. This only applies if you are using a payment processing module (like the default Pay Pal module) which has no "call back" to the website.

 

2. Other payment modules, such as World Pay or the osCommerce Pay Pal IPN module do not have this problem.

 

3. It has been 5 years since osCommerce MS2 was first issued and the only Pay Pal module available then was the one bundled with MS2 - but that hasn't been the case for years and there are many more Pay Pal modules available now.

 

4. If you are providing downloads then you need to install Downloads Controller, and this prevents people from getting downloads without having paid for them.

 

5. The default osCommerce is a bare-bones eCommerce shopping cart solution. It was done the way it was done in order to try and make it as easy as possible for many people with little knowledge of the web to install. In other words to make it as "idiot proof" as possible.

 

6. Many people think that installing osCommerce is the "end" of the process, but it's just the "beginning". If people are not prepared to learn how to adapt, modify, redesign osCommerce themselves then they had best accept the fact that they'll have to provide a budget to get someone else better qualified to do it for them.

 

Vger

Link to comment
Share on other sites

1. This only applies if you are using a payment processing module (like the default Pay Pal module) which has no "call back" to the website.

 

4. If you are providing downloads then you need to install Downloads Controller, and this prevents people from getting downloads without having paid for them.

 

Vger

 

This has been a well known issue and dicussed in great detail in this forum.

Vger has posted the correct solution above.

Bill Kellum

 

Sounds Good Productions

STS Tutorials & more: STSv4.6, STS Add-ons (STS Power Pack), STS V4 Forum STS Forum FREE TEMPLATE

Link to comment
Share on other sites

sry for the 2nd reply i just forgot to add this detail

 

if you type it in it says its a success but when i go into the admin part it doesnt show any orders as being placed so it didnt even go through.

Link to comment
Share on other sites

Checked my installayion and seen this below. Free downloads without even accessing any payment modules.

 

Here is the scenario

 

Customer visits my store

Selects product adds to cart

Goes to checkout

Creates account or logs in

Completes all checkout steps except for final confirm order step

 

Pay attention here as this is where the product becomes free

 

Url Address bar shows this url

https://mydomain.com/checkout_confirmation.php

 

Customer changes above url to

https://mydomain.com/checkout_process.php

 

Page reloads to

https://mydomain.com/checkout_success.php

 

At this point no payment has been completed and customer has access to download all products that was placed in shopping cart

 

I should mention that I am using Super Download Shop contribution as well.

Link to comment
Share on other sites

Vger provides great solution above and info. While I would love to see this as a sticky or at least the HOW TO FIX this problem with osc or default install of Paypal (IT'S THAT IMPORTANT!), updated to Paypal IPN or Paypal Pro? should fix it. Anytime your auto-approving downloads for "payments" you shift risk assessment to your software. Make sure its properly programmed and IMHO, always verify paypal payments prior to shipping or allowing release of downloads. Here is Vgers post again:

 

1. This only applies if you are using a payment processing module (like the default Pay Pal module) which has no "call back" to the website.

 

2. Other payment modules, such as World Pay or the osCommerce Pay Pal IPN module do not have this problem.

 

3. It has been 5 years since osCommerce MS2 was first issued and the only Pay Pal module available then was the one bundled with MS2 - but that hasn't been the case for years and there are many more Pay Pal modules available now.

 

4. If you are providing downloads then you need to install Downloads Controller, and this prevents people from getting downloads without having paid for them.

 

5. The default osCommerce is a bare-bones eCommerce shopping cart solution. It was done the way it was done in order to try and make it as easy as possible for many people with little knowledge of the web to install. In other words to make it as "idiot proof" as possible.

 

6. Many people think that installing osCommerce is the "end" of the process, but it's just the "beginning". If people are not prepared to learn how to adapt, modify, redesign osCommerce themselves then they had best accept the fact that they'll have to provide a budget to get someone else better qualified to do it for them.

Link to comment
Share on other sites

These are indeed some good ideas but they are by no means a solution or a fix.

 

Manually approving downloads is not an option for me. Also it kind of defeats the purpose of an automated shop. It will cost customers and eat away time to manually approve customers. In this day and age customers want their downloads as soon as they pay for them

 

In regards to the steps below

 

Step 1 is not an option as I do not use paypal and even if I did I can still bypass the paymet module and never even visit paypal. Easy to hack.

 

Step 2 - All Payment modules have this easy hack problem. Read my previous post above on how to easily hack your own site by fllowing the process I used.

 

Step 4 - SDS is installed and even if any downloads controller is installed once again manually approving all downloads is not a feasible option period!

 

Step 6 - I agree that the install is just the start of the process. And therefore the search goes on to automate this software even more and make it better then ever. Which comes back to the major step of securing the software from easy hacks.

 

Vger provides great solution above and info. While I would love to see this as a sticky or at least the HOW TO FIX this problem with osc or default install of Paypal (IT'S THAT IMPORTANT!), updated to Paypal IPN or Paypal Pro? should fix it. Anytime your auto-approving downloads for "payments" you shift risk assessment to your software. Make sure its properly programmed and IMHO, always verify paypal payments prior to shipping or allowing release of downloads. Here is Vgers post again:

 

1. This only applies if you are using a payment processing module (like the default Pay Pal module) which has no "call back" to the website.

 

2. Other payment modules, such as World Pay or the osCommerce Pay Pal IPN module do not have this problem.

 

3. It has been 5 years since osCommerce MS2 was first issued and the only Pay Pal module available then was the one bundled with MS2 - but that hasn't been the case for years and there are many more Pay Pal modules available now.

 

4. If you are providing downloads then you need to install Downloads Controller, and this prevents people from getting downloads without having paid for them.

 

5. The default osCommerce is a bare-bones eCommerce shopping cart solution. It was done the way it was done in order to try and make it as easy as possible for many people with little knowledge of the web to install. In other words to make it as "idiot proof" as possible.

 

6. Many people think that installing osCommerce is the "end" of the process, but it's just the "beginning". If people are not prepared to learn how to adapt, modify, redesign osCommerce themselves then they had best accept the fact that they'll have to provide a budget to get someone else better qualified to do it for them.

Link to comment
Share on other sites

There has to be a solution. The folks at Cubecart (a cart that we maintain for customers) doesn't have this problem at all. It shouldn't be too hard to match the core code of this cart to see how it has solved concern and create a mod or rewrite.

 

...tounge in cheek pointing out the obvious, hoping someone doesn't ask me why I will not tackle it...

 

lol

Link to comment
Share on other sites

There has to be a solution. The folks at Cubecart (a cart that we maintain for customers) doesn't have this problem at all. It shouldn't be too hard to match the core code of this cart to see how it has solved concern and create a mod or rewrite.

 

...tounge in cheek pointing out the obvious, hoping someone doesn't ask me why I will not tackle it...

 

lol

 

Its quite easy to fix, just use another paypal module or make a new one with utilizes the paypal md5 password authorization.

Link to comment
Share on other sites

Checked my installayion and seen this below. Free downloads without even accessing any payment modules.

 

Here is the scenario

 

Customer visits my store

Selects product adds to cart

Goes to checkout

Creates account or logs in

Completes all checkout steps except for final confirm order step

 

Pay attention here as this is where the product becomes free

 

Url Address bar shows this url

https://mydomain.com/checkout_confirmation.php

 

Customer changes above url to

https://mydomain.com/checkout_process.php

 

Page reloads to

https://mydomain.com/checkout_success.php

 

At this point no payment has been completed and customer has access to download all products that was placed in shopping cart

 

I should mention that I am using Super Download Shop contribution as well.

 

MMM your right. I just tested it with the Webadvantage module. (Westpac Banking online CC processor). However it won't affect my setup as we check all payments (part of fraud prevention).

 

Webadvantage: http://addons.oscommerce.com/info/3693

luke

Link to comment
Share on other sites

To prevent download stealing a small mod to /catalog/download.php is required

 

Replace

$downloads_query = tep_db_query("select date_format(o.date_purchased, '%Y-%m-%d') as date_purchased_day, opd.download_maxdays, opd.download_count, opd.download_maxdays, opd.orders_products_filename from " . TABLE_ORDERS . " o, " . TABLE_ORDERS_PRODUCTS . " op, " . TABLE_ORDERS_PRODUCTS_DOWNLOAD . " opd where o.customers_id = '" . $customer_id . "' and o.orders_id = '" . (int)$HTTP_GET_VARS['order'] . "' and o.orders_id = op.orders_id and op.orders_products_id = opd.orders_products_id and opd.orders_products_download_id = '" . (int)$HTTP_GET_VARS['id'] . "' and opd.orders_products_filename != ''");

 

with

// mod to prevent download stealing

// $downloads_query = tep_db_query("select date_format(o.date_purchased, '%Y-%m-%d') as date_purchased_day, opd.download_maxdays, opd.download_count, opd.download_maxdays, opd.orders_products_filename from " . TABLE_ORDERS . " o, " . TABLE_ORDERS_PRODUCTS . " op, " . TABLE_ORDERS_PRODUCTS_DOWNLOAD . " opd where o.customers_id = '" . $customer_id . "' and o.orders_id = '" . (int)$HTTP_GET_VARS['order'] . "' and o.orders_id = op.orders_id and op.orders_products_id = opd.orders_products_id and opd.orders_products_download_id = '" . (int)$HTTP_GET_VARS['id'] . "' and opd.orders_products_filename != ''");

$downloads_query = tep_db_query("select date_format(o.date_purchased, '%Y-%m-%d') as date_purchased_day, opd.download_maxdays, opd.download_count, opd.download_maxdays, opd.orders_products_filename from " . TABLE_ORDERS . " o, " . TABLE_ORDERS_PRODUCTS . " op, " . TABLE_ORDERS_PRODUCTS_DOWNLOAD . " opd where o.customers_id = '" . $customer_id . "' and o.orders_id = '" . (int)$HTTP_GET_VARS['order'] . "' and o.orders_status = '3' and o.orders_id = op.orders_id and op.orders_products_id = opd.orders_products_id and opd.orders_products_download_id = '" . (int)$HTTP_GET_VARS['id'] . "' and opd.orders_products_filename != ''");

// end mod to prevent download stealing

 

This does an additional check that order status is 3 (or whatever you have set for payment received). If it does not match then the 'buyer' just sees a blank screen instead of getting access to the download. Instead of

and o.orders_status = '3'

I guess you could use >= '3' or use an or statement.

 

I can't remember where I found this suggestion but it worked for me.

 

I am using IPN along with this.

Link to comment
Share on other sites

Too bad the whole community is not AWARE that you should not post general questions in the contributions area, as the forums here are the place to do that. Our contribution area is being exploited by idiocy and there is no way around it. Its just sickening.

 

 

I can understand why people are posting questions in the contributions section,

 

I have had a question that no one has even replied to, let alone answered and yet write the works hack on it and there is a deluge of replies and comments.

 

i agree that the contributions should not be abused but if people dont help others find answers and just debate in general support then people will try to abuse the system.

 

personally i keep bumping up the question in the hope that one person knows the solution so that i can fix it and others can find it in the future.

 

regards

Ian

 

p.s. if anyone knows their stuff please help here.

 

http://www.oscommerce.com/forums/index.php?sho...=303767&hl=

Link to comment
Share on other sites

  • 1 month later...

hi

I i stalled oscommerce and i changed design

 

but i want to change in front end products display and side add to card and view details buttons also i displayed but how i give that links to that buttons

 

Plese send the answer

thanks & regards

laxman

Link to comment
Share on other sites

  • 1 month later...

Vger,

 

For those that are not sure of this, are the Paypal programs installed:

 

PayPal Website Payments Pro (US) Direct Payments

PayPal Express Checkout

PayPal Website Payments Standard

PayPal Website Payments Pro (UK) Direct Payments

PayPal Website Payments Pro (UK) Express Checkout

 

Compatible with Paypal IPN or is there a separate mod to install?

 

Has anyone identified if each of the top items have this hack problem of checking out without payment?

 

Carry

Link to comment
Share on other sites

The correct solution, have PayPal post back a variable and check for it.

Also check referrer and other simple issues to check via PHP and if any fail do a redirect.

 

Remember, nothing is 100% hack proof <If it can be written, it can be unwritten> , but with a little care it can be prevented by most would be script kiddies.

The rest... Well it doesn't matter anyway because those elites will hack the !@#$ thing anyway and place it on a torrent. MS and others have lost millions and tossed millions after preventing the loss with only limited success.

 

Just follow the suggestions in the first paragraph and you should be fairly secure. As for the rest, if its software, don't lose sleep over it, because it will happen. This is coming from a 23 yr veteran programmer, and I have, like most, lost a lot of money to pirates over the years. Thank goodness there are still enough honest people out there so I can make a living. :P

The past is the past and can not be changed, while the future is shaped by actions taken in the present.

Link to comment
Share on other sites

For those that are not sure of this here are the Paypal programs (other than IPN):

 

PayPal Website Payments Pro (US) Direct Payments

PayPal Express Checkout

PayPal Website Payments Standard <---- confirmed tonight hack works on this with or without oscid after it

PayPal Website Payments Pro (UK) Direct Payments

PayPal Website Payments Pro (UK) Express Checkout

 

 

Has anyone identified if each of the other items above that have this hack problem of checking out without payment? Ideally we could firm up dialogue on which ones are affected, UK and otherwise so that they can be avoided.

 

Carry

Link to comment
Share on other sites

It has been said and said time and again - the old Standard PayPal module, or any payment module which does not make a callback to the website, can be fooled into thinking that the order is complete.

 

This is not a problem for sites which sell physical (non-downloadable) products, because you should never ship anything without first checking your payment provider account to see that the money is actually in your account - even if you do get an email which appears to be from them.

 

If your website uses a payment module whcih does make a callback then you are usually safe from this sort of hack (hardly worth calling it a hack).

 

To the person who commented that they couldn't manually approve all downloads when using Downloads Controller - you don't have to. The only time that the download has to be approved by the site admin is when the order uses the Check/Money Order module, or if you use a BACS (Bank) payment module - cases where the actual payment is delayed. And you'd do that anyway for downloads.

 

Vger

Link to comment
Share on other sites

I guess it could be summed into a sentence then for those who are not focused into "call backs" etc, primarily the new users of oscommerce and payment methods - that all Paypal mods except Paypal IPN http://addons.oscommerce.com/info/2679 are vulnerable.

 

The focus of this thread was not to beat up the subject or belong it, but bring attention to a very real issue - do a search of osc sites out there where people are earning a living and many, many still have standard paypal vulnerabilities. Ideally we could close this thread with confirmation from the nobilities that the first paragraph is true or false? I still am not clear and I am not a n00b. lol

 

Would like to "see" which ones are vulnerable and which not. Will post as I test and find out.

Link to comment
Share on other sites

For those who use the latest osCommerce RC2a

 

There is no need to install an extra PayPal IPN module...

 

The module in RC2a called PayPal Website Payments Standard is using IPN.

Link to comment
Share on other sites

  • 2 months later...

We managed to fix the "free download" issue by modifying 2 lines in downloads.php. This may not work for everyone but it will stop people from stealing your downloads in most cases... Basically this mod requires the order be marked "Shipped" in order for the download link to appear. If it's marked anything else the link doesn't show up. That means you will have to manually approve the download. I know it's an extra step but it beats getting ripped off.

 

Open includes/modules/downloads.php . On or around line 25 find the following...

$downloads_query = tep_db_query("select date_format(o.date_purchased, '%Y-%m-%d') as date_purchased_day, opd.download_maxdays, op.products_name, opd.orders_products_download_id, opd.orders_products_filename, opd.download_count, opd.download_maxdays from " . TABLE_ORDERS . " o, " . TABLE_ORDERS_PRODUCTS . " op, " . TABLE_ORDERS_PRODUCTS_DOWNLOAD . " opd where o.customers_id = '" . (int)$customer_id . "' and o.orders_id = '" . (int)$last_order . "' and o.orders_id = op.orders_id and op.orders_products_id = opd.orders_products_id and opd.orders_products_filename != ''");

 

Just after "as date_purchased_day," in that line add o.orders_status, so it looks like this...

  $downloads_query = tep_db_query("select date_format(o.date_purchased, '%Y-%m-%d') as date_purchased_day, o.orders_status, opd.download_maxdays, op.products_name, opd.orders_products_download_id, opd.orders_products_filename, opd.download_count, opd.download_maxdays from " . TABLE_ORDERS . " o, " . TABLE_ORDERS_PRODUCTS . " op, " . TABLE_ORDERS_PRODUCTS_DOWNLOAD . " opd where o.customers_id = '" . (int)$customer_id . "' and o.orders_id = '" . (int)$last_order . "' and o.orders_id = op.orders_id and op.orders_products_id = opd.orders_products_id and opd.orders_products_filename != ''");

 

On or around line 57 find the following...

if ( ($downloads['download_count'] > 0) && (file_exists(DIR_FS_DOWNLOAD . $downloads['orders_products_filename'])) && ( ($downloads['download_maxdays'] == 0) || ($download_timestamp > time())) ) {

 

Just before ($downloads['download_count'] > 0) add ($downloads['orders_status'] == 3) && so it looks like this...

if ( ($downloads['orders_status'] == 3) && ($downloads['download_count'] > 0) && (file_exists(DIR_FS_DOWNLOAD . $downloads['orders_products_filename'])) && ( ($downloads['download_maxdays'] == 0) || ($download_timestamp > time())) ) {

 

As always be sure to backup downloads.php before making the above changes. Hope this helps at least a few of you...

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...