motorsep Posted June 17, 2012 Share Posted June 17, 2012 This is pretty serious. Someone was able to right-click on Confirm button checking out with PayPal and simply corrected price value, saved file and checked out (opera and chrome issue). How to fix?! Thanks. Link to comment Share on other sites More sharing options...
Guest Posted June 17, 2012 Share Posted June 17, 2012 @@motorsep I checked this with Chrome and could not replicate the issue you stated. I do not use Opera so I could not test it. Are you using a standard installation or a template site ? Chris Link to comment Share on other sites More sharing options...
motorsep Posted June 17, 2012 Author Share Posted June 17, 2012 I am using standard install. Here are the steps to reproduce (the "attacker" sent me these): http://i062.radikal.ru/1206/c7/99e8f94bc005.png http://s017.radikal.ru/i427/1206/80/7bf1e6b97b67.png http://s019.radikal.ru/i637/1206/72/fb382df95632.png So anyone can change the values because the data isn't passed to PayPal securely. Link to comment Share on other sites More sharing options...
MrPhil Posted June 20, 2012 Share Posted June 20, 2012 That's interesting. I could well imagine that any application where the cost data is passed directly from the browser to any payment system (such as PayPal) could be modified in such a way as to fake the cost data. All it would take would be to use Firebug or the built-in equivalent in other browsers to modify "hidden" form data before it's sent, and you've just sold something for pennies on the dollar. Is there anything to send a checksum or hash (generated on the server) so that PayPal could detect that the numbers are inconsistent? Does osC send the data directly to PayPal without going through the browser's HTML? Obviously, osC can detect such fraud by comparing numbers, but what is the recourse when that's already been sent to PayPal? Would a merchant be penalized for canceling sales and refunding payments? Long ago, this sort of thing (altering costs in a GET string) was something we were warned about in HTML class, that a fraudster could simply send their own GET string with their own numbers back to our server, and we needed to verify numbers (check price against the database price, etc.). It sounds like even with hidden POST data, that fraudsters have the capability to insert their own values as desired. The only way to avoid this would be for osC (at the server) to talk directly to PayPal, and not send anything through the browser. Is it done this way already? I would hope so, as it's been possible for a long time to save a page's HTML in a file, alter it (e.g., hidden POST fields), and presumably send it on. The alternative would be to require osC (server) to confirm the numbers before PayPal finalizes the transaction. Link to comment Share on other sites More sharing options...
Mort-lemur Posted June 22, 2012 Share Posted June 22, 2012 This is quite worrying, I tried it on my sites, made an order of around £10.00, amended the amount to £0.01 prior to submission as described above. The order was placed, the Paypal IPN gave a good result to the site, the order shows the correct value in admin and yet I only paid £0.01 for the order. - the only saving grace, is that the paypal IPN module I use kept the payment status at Pending as the full amount had not been received. I can't comment on how paypal express or standard would deal with this, or for that matter any of the other payment modules Is there any way to fix this? as I must admit I dont always check the order value to the paypal payment. Thanks Now running on a fully modded, Mobile Friendly 2.3.4 Store with the Excellent MTS installed - See my profile for the mods installed ..... So much thanks for all the help given along the way by forum members. Link to comment Share on other sites More sharing options...
Mort-lemur Posted June 22, 2012 Share Posted June 22, 2012 One thing I also forgot to mention is that both as a store owner, and the mischievious customer I receive emails stating that the order has been made - to the correct value! Thanks Now running on a fully modded, Mobile Friendly 2.3.4 Store with the Excellent MTS installed - See my profile for the mods installed ..... So much thanks for all the help given along the way by forum members. Link to comment Share on other sites More sharing options...
multimixer Posted June 22, 2012 Share Posted June 22, 2012 I wonder how it happens that checkout_confirmation.php has that hidden fields for the values. The regular checkout_process.php does not need this kind of hidden values, it takes fresh data from the order class The only hidden field in checkout_confirmation.php is about the order comments. So this is not a osCommerce problem in general, but a whole of some customization or addon My community profile | Template system for osCommerce - New: Responsive | Feedback channel Link to comment Share on other sites More sharing options...
Mort-lemur Posted June 22, 2012 Share Posted June 22, 2012 Ok I dont think I have that degree of customisation on my checkout confirmation page. Does anyone have an almost stock OSC 2.2 store I can try this on? Thanks Now running on a fully modded, Mobile Friendly 2.3.4 Store with the Excellent MTS installed - See my profile for the mods installed ..... So much thanks for all the help given along the way by forum members. Link to comment Share on other sites More sharing options...
burt Posted June 22, 2012 Share Posted June 22, 2012 Some payment modules make use of hidden form elements and it would be these that could be caught in this way. There is not a lot that can be done, other than to check the payment amount and the order mount are the same (manually). Or, even better; don't use payment modules that use hidden form fields. Link to comment Share on other sites More sharing options...
Mort-lemur Posted June 22, 2012 Share Posted June 22, 2012 Yea looked at other payment methods - EPDQ, Bank Transfer, Cheque etc Looks like this is only with paypal payments - well on my sites anyway! Thanks Now running on a fully modded, Mobile Friendly 2.3.4 Store with the Excellent MTS installed - See my profile for the mods installed ..... So much thanks for all the help given along the way by forum members. Link to comment Share on other sites More sharing options...
burt Posted June 22, 2012 Share Posted June 22, 2012 I think, though I have not checked...paypal_standard (the one packaged with 2.3.1) would be OK. Link to comment Share on other sites More sharing options...
Mort-lemur Posted June 22, 2012 Share Posted June 22, 2012 No I tried that one on my development site - that has hidden fields as well Now running on a fully modded, Mobile Friendly 2.3.4 Store with the Excellent MTS installed - See my profile for the mods installed ..... So much thanks for all the help given along the way by forum members. Link to comment Share on other sites More sharing options...
burt Posted June 22, 2012 Share Posted June 22, 2012 Ah OK. I had a feeling they were encrypted, but obviously not! Link to comment Share on other sites More sharing options...
♥Biancoblu Posted June 22, 2012 Share Posted June 22, 2012 Does this happen with Paypal Express as well or just with paypal standard? ~ Don't mistake my kindness for weakness ~ Link to comment Share on other sites More sharing options...
Mort-lemur Posted June 22, 2012 Share Posted June 22, 2012 Having read through the paypal details for setting up a site with paypal - it looks like it is a requirement to have hidden fields to be able to use paypal. I wonder if this could be exploited on non osc sites - I may take a look at that.... Now running on a fully modded, Mobile Friendly 2.3.4 Store with the Excellent MTS installed - See my profile for the mods installed ..... So much thanks for all the help given along the way by forum members. Link to comment Share on other sites More sharing options...
Mort-lemur Posted June 22, 2012 Share Posted June 22, 2012 OK, I just went to the OSC Sponsorship page, where I selected the 30 Euro option for sponsorship, displayed the hidden fields as shown below, and changed the 30 Euro to 1 Euro - sure enough when I pressed submit I was taken to paypal where I was being billed for 1 Euro. So this is a problem / possible exploit for all sites using paypal Now running on a fully modded, Mobile Friendly 2.3.4 Store with the Excellent MTS installed - See my profile for the mods installed ..... So much thanks for all the help given along the way by forum members. Link to comment Share on other sites More sharing options...
Mort-lemur Posted June 22, 2012 Share Posted June 22, 2012 I think the answer lies here : https://cms.paypal.com/us/cgi-bin/?cmd=_render-content&content_ID=developer/e_howto_html_encryptedwebpayments#id08A3I0P017Q But that is beyond me unless someone puts it in simple terms. Thanks Now running on a fully modded, Mobile Friendly 2.3.4 Store with the Excellent MTS installed - See my profile for the mods installed ..... So much thanks for all the help given along the way by forum members. Link to comment Share on other sites More sharing options...
♥Biancoblu Posted June 23, 2012 Share Posted June 23, 2012 Hidden fields can be encrypted (I use paypal buttons on a NON-osc site and could choose the option to encrypt them when creating the actual button in the paypal account). As for the osc shops, there is a setting in the paypal standard module: "enable encrypted web payments", I haven't had time yet to try/test this, but the solution may lie there. I believe you're also meant to request API credentials from your paypal account, go to profile>my selling tools>API access. I am not sure however where to enter the API certificate in shop admin, in fact in the paypal standard module we have "your private key", "your public certificate", "paypals public certificate", "your paypal public certificate ID". If anyone knows how to set this up, please help. ~ Don't mistake my kindness for weakness ~ Link to comment Share on other sites More sharing options...
burt Posted June 23, 2012 Share Posted June 23, 2012 http://www.oscommerce.com/forums/topic/287153-paypal-ipn-how-to-generate-your-encryption-certs/ I knew I recalled something about encryption. In essence, install openssl, create the "key", create the "public certificate" using the key Login to your paypal and go; profile > my selling preferences > encrypted payment settings" (it's right at the bottom of the page) Click "add". Upload the PUBLIC cert you made. Follow the instructions. Now you should have all the data/files needed to set the payments_standard to true. Link to comment Share on other sites More sharing options...
♥Biancoblu Posted June 23, 2012 Share Posted June 23, 2012 Thanks for that link Gary. I'm probably missing something dead obvious but I am still not sure at all what needs to be installed and where. I have downloaded my API credentials and was given an RSA private key and a certificate. I also found where to download Paypals public certificate. Is that the info that needs to be entered for encrypted payments? ~ Don't mistake my kindness for weakness ~ Link to comment Share on other sites More sharing options...
♥Biancoblu Posted June 23, 2012 Share Posted June 23, 2012 After researching the issue it seems API credentials are needed for paypal express, not paypal standard. I can't install openssl nor create a key so I'm giving up for now and will just manually check that the payment amount and item price do match. ~ Don't mistake my kindness for weakness ~ Link to comment Share on other sites More sharing options...
Mort-lemur Posted June 23, 2012 Share Posted June 23, 2012 @@Biancoblu I have used openssl to generate public and private keys, downloaded the paypal public key etc. Like you, what I am missing is where to upload these to on the server.... Is it simply a case of creating a new directory, adding these to it and then calling them up from the paypal module in admin? or do I need to install some of the openssl files as well? Now running on a fully modded, Mobile Friendly 2.3.4 Store with the Excellent MTS installed - See my profile for the mods installed ..... So much thanks for all the help given along the way by forum members. Link to comment Share on other sites More sharing options...
Mort-lemur Posted June 23, 2012 Share Posted June 23, 2012 OK - it is now done :-) and confirmed that the hidden fields are encripted and paypal IPN still works! If I have time later I will document the steps to do this. Thanks Now running on a fully modded, Mobile Friendly 2.3.4 Store with the Excellent MTS installed - See my profile for the mods installed ..... So much thanks for all the help given along the way by forum members. Link to comment Share on other sites More sharing options...
Mort-lemur Posted June 23, 2012 Share Posted June 23, 2012 OK all of my sites are now secure against this potential exploit, all tested, and trial purchases made. I would like to post the exact steps to achieve this - does anyone think it would be worthwhile doing that in a new thread or even as a contribution? Or if nobody is interested I wont bother Thanks Now running on a fully modded, Mobile Friendly 2.3.4 Store with the Excellent MTS installed - See my profile for the mods installed ..... So much thanks for all the help given along the way by forum members. Link to comment Share on other sites More sharing options...
♥altoid Posted June 23, 2012 Share Posted June 23, 2012 OK all of my sites are now secure against this potential exploit, all tested, and trial purchases made. I would like to post the exact steps to achieve this - does anyone think it would be worthwhile doing that in a new thread or even as a contribution? Or if nobody is interested I wont bother Thanks I use PP IPN on four sites, so I am interested. I looked at openssl, and that for me is a bit of a learning curve as well, but I'll tackle it. Thanks I am not a professional webmaster or PHP coder by background or training but I will try to help as best I can. I remember what it was like when I first started with osC. It can be overwhelming. However, I strongly recommend considering hiring a professional for extensive site modifications, site cleaning, etc. There are several good pros here on osCommerce. Look around, you'll figure out who they are. Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.