Latest News: (loading..)

Archived

This topic is now archived and is closed to further replies.

motorsep

Checkout confirmation exploit with Opera !

29 posts in this topic

This is pretty serious. Someone was able to right-click on Confirm button checking out with PayPal and simply corrected price value, saved file and checked out (opera and chrome issue). How to fix?! Thanks.

Share this post


Link to post
Share on other sites

@@motorsep

 

I checked this with Chrome and could not replicate the issue you stated. I do not use Opera so I could not test it. Are you using a standard installation or a template site ?

 

 

 

Chris

Share this post


Link to post
Share on other sites

That's interesting. I could well imagine that any application where the cost data is passed directly from the browser to any payment system (such as PayPal) could be modified in such a way as to fake the cost data. All it would take would be to use Firebug or the built-in equivalent in other browsers to modify "hidden" form data before it's sent, and you've just sold something for pennies on the dollar. Is there anything to send a checksum or hash (generated on the server) so that PayPal could detect that the numbers are inconsistent? Does osC send the data directly to PayPal without going through the browser's HTML? Obviously, osC can detect such fraud by comparing numbers, but what is the recourse when that's already been sent to PayPal? Would a merchant be penalized for canceling sales and refunding payments?

 

Long ago, this sort of thing (altering costs in a GET string) was something we were warned about in HTML class, that a fraudster could simply send their own GET string with their own numbers back to our server, and we needed to verify numbers (check price against the database price, etc.). It sounds like even with hidden POST data, that fraudsters have the capability to insert their own values as desired. The only way to avoid this would be for osC (at the server) to talk directly to PayPal, and not send anything through the browser. Is it done this way already? I would hope so, as it's been possible for a long time to save a page's HTML in a file, alter it (e.g., hidden POST fields), and presumably send it on. The alternative would be to require osC (server) to confirm the numbers before PayPal finalizes the transaction.

Share this post


Link to post
Share on other sites

This is quite worrying,

 

I tried it on my sites, made an order of around £10.00, amended the amount to £0.01 prior to submission as described above.

 

The order was placed, the Paypal IPN gave a good result to the site, the order shows the correct value in admin and yet I only paid £0.01 for the order. - the only saving grace, is that the paypal IPN module I use kept the payment status at Pending as the full amount had not been received.

 

I can't comment on how paypal express or standard would deal with this, or for that matter any of the other payment modules

 

Is there any way to fix this? as I must admit I dont always check the order value to the paypal payment.

 

Thanks

Share this post


Link to post
Share on other sites

One thing I also forgot to mention is that both as a store owner, and the mischievious customer I receive emails stating that the order has been made - to the correct value!

 

Thanks

Share this post


Link to post
Share on other sites

I wonder how it happens that checkout_confirmation.php has that hidden fields for the values.

 

The regular checkout_process.php does not need this kind of hidden values, it takes fresh data from the order class

 

The only hidden field in checkout_confirmation.php is about the order comments.

 

So this is not a osCommerce problem in general, but a whole of some customization or addon

Share this post


Link to post
Share on other sites

Ok I dont think I have that degree of customisation on my checkout confirmation page.

 

Does anyone have an almost stock OSC 2.2 store I can try this on?

 

Thanks

Share this post


Link to post
Share on other sites

Some payment modules make use of hidden form elements and it would be these that could be caught in this way.

There is not a lot that can be done, other than to check the payment amount and the order mount are the same (manually).

 

Or, even better; don't use payment modules that use hidden form fields.

Share this post


Link to post
Share on other sites

Yea looked at other payment methods - EPDQ, Bank Transfer, Cheque etc

 

Looks like this is only with paypal payments - well on my sites anyway!

 

Thanks

Share this post


Link to post
Share on other sites

I think, though I have not checked...paypal_standard (the one packaged with 2.3.1) would be OK.

Share this post


Link to post
Share on other sites

Ah OK. I had a feeling they were encrypted, but obviously not!

Share this post


Link to post
Share on other sites

Does this happen with Paypal Express as well or just with paypal standard?

Share this post


Link to post
Share on other sites

Having read through the paypal details for setting up a site with paypal - it looks like it is a requirement to have hidden fields to be able to use paypal.

 

I wonder if this could be exploited on non osc sites - I may take a look at that....

Share this post


Link to post
Share on other sites

OK,

 

I just went to the OSC Sponsorship page, where I selected the 30 Euro option for sponsorship, displayed the hidden fields as shown below, and changed the 30 Euro to 1 Euro - sure enough when I pressed submit I was taken to paypal where I was being billed for 1 Euro.

 

So this is a problem / possible exploit for all sites using paypal

Share this post


Link to post
Share on other sites

Hidden fields can be encrypted (I use paypal buttons on a NON-osc site and could choose the option to encrypt them when creating the actual button in the paypal account).

 

As for the osc shops, there is a setting in the paypal standard module: "enable encrypted web payments", I haven't had time yet to try/test this, but the solution may lie there. I believe you're also meant to request API credentials from your paypal account, go to profile>my selling tools>API access. I am not sure however where to enter the API certificate in shop admin, in fact in the paypal standard module we have "your private key", "your public certificate", "paypals public certificate", "your paypal public certificate ID".

If anyone knows how to set this up, please help.

Share this post


Link to post
Share on other sites

http://forums.oscommerce.com/topic/287153-paypal-ipn-how-to-generate-your-encryption-certs/

 

I knew I recalled something about encryption.

 

In essence, install openssl, create the "key", create the "public certificate" using the key

Login to your paypal and go;

profile > my selling preferences > encrypted payment settings" (it's right at the bottom of the page)

 

Click "add". Upload the PUBLIC cert you made. Follow the instructions.

 

Now you should have all the data/files needed to set the payments_standard to true.

Share this post


Link to post
Share on other sites

Thanks for that link Gary.

I'm probably missing something dead obvious but I am still not sure at all what needs to be installed and where.

I have downloaded my API credentials and was given an RSA private key and a certificate. I also found where to download Paypals public certificate. Is that the info that needs to be entered for encrypted payments?

Share this post


Link to post
Share on other sites

After researching the issue it seems API credentials are needed for paypal express, not paypal standard. I can't install openssl nor create a key so I'm giving up for now and will just manually check that the payment amount and item price do match.

Share this post


Link to post
Share on other sites

@@Biancoblu

 

I have used openssl to generate public and private keys, downloaded the paypal public key etc.

 

Like you, what I am missing is where to upload these to on the server.... Is it simply a case of creating a new directory, adding these to it and then calling them up from the paypal module in admin? or do I need to install some of the openssl files as well?

Share this post


Link to post
Share on other sites

OK - it is now done :-) and confirmed that the hidden fields are encripted and paypal IPN still works!

 

If I have time later I will document the steps to do this.

 

Thanks

Share this post


Link to post
Share on other sites

OK all of my sites are now secure against this potential exploit, all tested, and trial purchases made.

 

I would like to post the exact steps to achieve this - does anyone think it would be worthwhile doing that in a new thread or even as a contribution?

 

Or if nobody is interested I wont bother

 

Thanks

Share this post


Link to post
Share on other sites

OK all of my sites are now secure against this potential exploit, all tested, and trial purchases made.

 

I would like to post the exact steps to achieve this - does anyone think it would be worthwhile doing that in a new thread or even as a contribution?

 

Or if nobody is interested I wont bother

 

Thanks

 

I use PP IPN on four sites, so I am interested. I looked at openssl, and that for me is a bit of a learning curve as well, but I'll tackle it. Thanks

Share this post


Link to post
Share on other sites