chooch Posted August 26, 2009 Share Posted August 26, 2009 Just like with the PayPal IPN (and PayPal Express but not PayPal WPP) and numerous other payment contributions, the Moneybookers module is open to abuse. The hack will affect store owners by having to use their time to filter through and find order statuses for hacked orders and genuine ones but if you sell virtual products like audio/visual downloads then you are losing money as people are obtaining them for free. Here's the Moneybookers hack: 1) Open and account on any oscommerce store 2) Add any items to cart and hit the checkout button 3) When you get to checkout_payment.php select Moneybookers 4) Then when the Moneybookers payment details appear simply checnge the end of the URL in your browser from 'checkout_payment.php' to 'checkout_process.php) and press enter/return. 5) Checkout_success.php appears and order has been completed From what I can tell it needs to be plugged in checkout_payment before and after Moneybookers is selected otherwise those with digital downloads are open to fraud. The same hack affects nearly all of the payment modules for oscommerce. For what it's worth, PayPal WPP if selected from a lsit of options by customers or if used by store owners as the default single payment option blocks this hack from working, the only time I could tell PayPal WPP was open to the hack was when Express Checkout was installed and operated alongside WPP. Be careful people. Quote Upon receiving fixes and advice, too many people don't bother to post updates informing the forum of how it went. Until of course they need help again on other issues and they come running back! Why receive the information you require in good faith for free, only to then have the attitude to ignore the people who gave it to you? There's no harm in saying, 'Thanks, it worked'. On the contrary, it creates a better atmosphere. CHOOCH Link to comment Share on other sites More sharing options...
herrgray Posted August 27, 2009 Share Posted August 27, 2009 Hi, This is a common problem with the OS commerce script. All shop owners should check to see if a payment has actually been made before they ship any products. Alot of payment processors have not implemented ways to check for a sucessful transaction - (ex. returning a hashed value) - the check out functions usually default return (ie. no checks made) so unfortunatly there is not a way to stop the checkout_process.php bug. It should be noted this is a OSc bug aswell and such functions should take place in a protected class. not in a public php doc. Gray Appleton Quote PHP5, Javascript, MySQL and now Flash????????....... Ohhhhhh..... I think I have a head ache..... Link to comment Share on other sites More sharing options...
Guest Posted August 27, 2009 Share Posted August 27, 2009 Hi, This is a common problem with the OS commerce script. All shop owners should check to see if a payment has actually been made before they ship any products. Alot of payment processors have not implemented ways to check for a sucessful transaction - (ex. returning a hashed value) - the check out functions usually default return (ie. no checks made) so unfortunatly there is not a way to stop the checkout_process.php bug. It should be noted this is a OSc bug aswell and such functions should take place in a protected class. not in a public php doc. Gray Appleton I tried this hack on my site and it didn't seem to work. I went to the checkout page and changed the URL (without entering any CC information) and it just sent me back to the page where I had to enter the CC information. I'm using authorize.net AIM. Quote Link to comment Share on other sites More sharing options...
chooch Posted August 27, 2009 Author Share Posted August 27, 2009 (edited) I tried this hack on my site and it didn't seem to work. I went to the checkout page and changed the URL (without entering any CC information) and it just sent me back to the page where I had to enter the CC information. I'm using authorize.net AIM. The hack does not work on HSBC, PayPal WPP, Authorizenet AIM but I think it does work on AuthorizeNet basic and it does not work on some other payment modules but the hack does work on PayPal standard, PayPal IPN, PayPal WPP id Express Checkout is activated, Moneybookers and many others. The hack can only be confirmed by process of elimination. I only highlighted the issue here because apparantly Moneybookers is becoming popular with lots of stores and I used the contribution to test. Anyone with downloadable products or digital/software/music/video files etc are the ones who will be at risk until they decide which payment module they want and test to see if the hack works before working out a way to plug it. Edited August 27, 2009 by chooch Quote Upon receiving fixes and advice, too many people don't bother to post updates informing the forum of how it went. Until of course they need help again on other issues and they come running back! Why receive the information you require in good faith for free, only to then have the attitude to ignore the people who gave it to you? There's no harm in saying, 'Thanks, it worked'. On the contrary, it creates a better atmosphere. CHOOCH Link to comment Share on other sites More sharing options...
herrgray Posted August 28, 2009 Share Posted August 28, 2009 Alot of payment processors have not implemented ways to check for a sucessful transaction I said alot, not all... The hack can only be confirmed by process of elimination. chooch is pretty much correct here... If your not a programmer familiar with php(object) then there is no other way other than trial and error. so, play it on the safe side and: check to see if a payment has actually been made before they ship any products. alot of payment processors do not have the funds or the man power to develope modules for all the open source web shops out there. Gray Quote PHP5, Javascript, MySQL and now Flash????????....... Ohhhhhh..... I think I have a head ache..... Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.