chooch 1 Posted August 26, 2009 Just like with the PayPal IPN (and PayPal Express but not PayPal WPP) and numerous other payment contributions, the Moneybookers module is open to abuse. The hack will affect store owners by having to use their time to filter through and find order statuses for hacked orders and genuine ones but if you sell virtual products like audio/visual downloads then you are losing money as people are obtaining them for free. Here's the Moneybookers hack: 1) Open and account on any oscommerce store 2) Add any items to cart and hit the checkout button 3) When you get to checkout_payment.php select Moneybookers 4) Then when the Moneybookers payment details appear simply checnge the end of the URL in your browser from 'checkout_payment.php' to 'checkout_process.php) and press enter/return. 5) Checkout_success.php appears and order has been completed From what I can tell it needs to be plugged in checkout_payment before and after Moneybookers is selected otherwise those with digital downloads are open to fraud. The same hack affects nearly all of the payment modules for oscommerce. For what it's worth, PayPal WPP if selected from a lsit of options by customers or if used by store owners as the default single payment option blocks this hack from working, the only time I could tell PayPal WPP was open to the hack was when Express Checkout was installed and operated alongside WPP. Be careful people. Upon receiving fixes and advice, too many people don't bother to post updates informing the forum of how it went. Until of course they need help again on other issues and they come running back! Why receive the information you require in good faith for free, only to then have the attitude to ignore the people who gave it to you? There's no harm in saying, 'Thanks, it worked'. On the contrary, it creates a better atmosphere. CHOOCH Share this post Link to post Share on other sites
herrgray 0 Posted August 27, 2009 Hi, This is a common problem with the OS commerce script. All shop owners should check to see if a payment has actually been made before they ship any products. Alot of payment processors have not implemented ways to check for a sucessful transaction - (ex. returning a hashed value) - the check out functions usually default return (ie. no checks made) so unfortunatly there is not a way to stop the checkout_process.php bug. It should be noted this is a OSc bug aswell and such functions should take place in a protected class. not in a public php doc. Gray Appleton PHP5, Javascript, MySQL and now Flash????????....... Ohhhhhh..... I think I have a head ache..... Share this post Link to post Share on other sites
Guest Posted August 27, 2009 Hi, This is a common problem with the OS commerce script. All shop owners should check to see if a payment has actually been made before they ship any products. Alot of payment processors have not implemented ways to check for a sucessful transaction - (ex. returning a hashed value) - the check out functions usually default return (ie. no checks made) so unfortunatly there is not a way to stop the checkout_process.php bug. It should be noted this is a OSc bug aswell and such functions should take place in a protected class. not in a public php doc. Gray Appleton I tried this hack on my site and it didn't seem to work. I went to the checkout page and changed the URL (without entering any CC information) and it just sent me back to the page where I had to enter the CC information. I'm using authorize.net AIM. Share this post Link to post Share on other sites
chooch 1 Posted August 27, 2009 (edited) I tried this hack on my site and it didn't seem to work. I went to the checkout page and changed the URL (without entering any CC information) and it just sent me back to the page where I had to enter the CC information. I'm using authorize.net AIM. The hack does not work on HSBC, PayPal WPP, Authorizenet AIM but I think it does work on AuthorizeNet basic and it does not work on some other payment modules but the hack does work on PayPal standard, PayPal IPN, PayPal WPP id Express Checkout is activated, Moneybookers and many others. The hack can only be confirmed by process of elimination. I only highlighted the issue here because apparantly Moneybookers is becoming popular with lots of stores and I used the contribution to test. Anyone with downloadable products or digital/software/music/video files etc are the ones who will be at risk until they decide which payment module they want and test to see if the hack works before working out a way to plug it. Edited August 27, 2009 by chooch Upon receiving fixes and advice, too many people don't bother to post updates informing the forum of how it went. Until of course they need help again on other issues and they come running back! Why receive the information you require in good faith for free, only to then have the attitude to ignore the people who gave it to you? There's no harm in saying, 'Thanks, it worked'. On the contrary, it creates a better atmosphere. CHOOCH Share this post Link to post Share on other sites
herrgray 0 Posted August 28, 2009 Alot of payment processors have not implemented ways to check for a sucessful transaction I said alot, not all... The hack can only be confirmed by process of elimination. chooch is pretty much correct here... If your not a programmer familiar with php(object) then there is no other way other than trial and error. so, play it on the safe side and: check to see if a payment has actually been made before they ship any products. alot of payment processors do not have the funds or the man power to develope modules for all the open source web shops out there. Gray PHP5, Javascript, MySQL and now Flash????????....... Ohhhhhh..... I think I have a head ache..... Share this post Link to post Share on other sites
New 