Mort-lemur Posted June 23, 2012 Share Posted June 23, 2012 Starting a new Thread for this so it is easier for others to find if needed. Adding Encryption to Paypal to Prevent Checkout_Confirmation Exploit *********************************************************************************** As standard, Paypal standard and Paypal IPN modules use hidden fields to post data to paypal. (I can not comment on Paypal Express as I dont use it) It is possible on the checkout_confirmation page, using a tool such as firebug to view and modify these hidden fields, changing the value that is posted to paypal and paying pennies for an order that should cost £££££. If, like me, you dont always check the order value against your paypal account this may not get picked up and the order may be shipped, which to me is an unacceptable vulnerability. The following steps, detail how to install the paypal encryption system which will encrypt these hidden fields prior to submission, so a mischievious shopper cannot alter the order value. This is a feature in the Paypal payment modules that is often ignored. This has been tested on several of my OSC 2.2RC2a stores using the Paypal IPN module, and having looked at the Paypal Standard module on OSC 2.3.1 I can see no reason why it wont work on that either. I take no credit for this, all I have done is pull together information from various posts and tried to put the steps in a logical manner. Installation ========= 1) Download and install the openSSL software (Win32 OpenSSL v0.9.8g Light) to your computer from: http://slproweb.com/products/Win32OpenSSL.html For the open ssl software to function correctly you may need to download and install windows Visual c++ from: http://www.microsoft.com/en-us/download/details.aspx?id=5555 The openssl installer will tell you if you need to do this or not. ---------------------------------------------------------------------------------------- 2) On your computer open the directory C:\OpenSSL\bin and double click on the file: openssl.exe this will open a dos dialogue box. ---------------------------------------------------------------------------------------- 3) Type into this box: genrsa -out my-prvkey.pem 1024 It is ESSENTIAL that you get the spaces and dashes exactly as they appear above. This will generate and save your private key to C:\OpenSSL\bin ---------------------------------------------------------------------------------------- 4) Again at the command prompt, type: req -config c:\openssl\bin\openssl.cfg -new -key my-prvkey.pem -x509 -days 3650 -out my-pubcert.pem Again it is ESSENTIAL that you get the spaces and dashes exactly as they appear above. The system will ask for details such as store name, email, country etc. This will generate and save your public key to C:\OpenSSL\bin - Change the figure after "Days" to change the validity of the certificate, I have opted for 10 years. ---------------------------------------------------------------------------------------- 5) Go to your Paypal account, Profile, my selling preferences and at the bottom you will see: Encrypted Payment Settings. Click on this link. ---------------------------------------------------------------------------------------- 6) On the page that opens, there are a couple of steps to complete: First you need to download the paypal public certificate, so hit the "Download" button and save the file again to C:\OpenSSL\bin - It will be called: paypal_cert_pem.txt Second you need to upload the Public certificate (my-pubcert.pem) that you created in openssl. So click on the add button and browse to C:\OpenSSL\bin and select my-pubcert.pem Once public certificate has been added you will see that it has a Cert ID allocated to it, keep the page open as you will need the cert number in a little while. ---------------------------------------------------------------------------------------- 7) Using an ftp programme such as filezilla, create a directory on your server to store the files. I set them above the public_html level in a directory called/bin/openssl/ so I will use that as the location for the rest of these instructions, if you use a different location then amend the instructions accordingly. ---------------------------------------------------------------------------------------- 8) From C:\OpenSSL\bin upload the three files created previously (my-prvkey.pem, my-pubcert.pem and paypal_cert_pem.txt) to the directory created in step 7. ---------------------------------------------------------------------------------------- 9) Go to your OSC Admin, select Modules, Payment, and the paypal module you are using and click "edit", at the bottom of the options you will see "Enable Encrypted Web Payments" this is the start of the options you need to fill. Set this to "True" Below is how the rest of the fields should be filled: Your Private Key: /home/yourusername/bin/openssl/my-prvkey.pem Your Public Certificate: /home/yourusername/bin/openssl/my-pubcert.pem PayPals Public Certificate: /home/yourusername/bin/openssl/paypal_cert_pem.txt Your PayPal Public Certificate ID: The Certificate ID as mentioned at the bottom of step 6 above. Working Directory: /home/yourusername/tmp/ OpenSSL Location: /home/yourusername/bin/openssl Save the changes you have made. ===================================================== Thats It ! Test out the system by making a trial purchase with paypal to make sure there are no errors. If there are, they are most likely due to incorrect paths being set in step 9 (if you used a different directory) Also if you have firebug or similar installed, check prior to pressing confirm order that the hidden fields are in fact encrypted. Enjoy. Now running on a fully modded, Mobile Friendly 2.3.4 Store with the Excellent MTS installed - See my profile for the mods installed ..... So much thanks for all the help given along the way by forum members. Link to comment Share on other sites More sharing options...
♥altoid Posted June 24, 2012 Share Posted June 24, 2012 I am sure that figuring all this out and putting it together took a lot of work. Thank you for taking the time to share this Heather. Accomplishing this is on my "to do" list for the week. Much appreciated. I am not a professional webmaster or PHP coder by background or training but I will try to help as best I can. I remember what it was like when I first started with osC. It can be overwhelming. However, I strongly recommend considering hiring a professional for extensive site modifications, site cleaning, etc. There are several good pros here on osCommerce. Look around, you'll figure out who they are. Link to comment Share on other sites More sharing options...
♥geoffreywalton Posted June 24, 2012 Share Posted June 24, 2012 ditto G Need help installing add ons/contributions, cleaning a hacked site or a bespoke development, check my profile Virus Threat Scanner My Contributions Basic install answers. Click here for Contributions / Add Ons. UK your site. Site Move. Basic design info. For links mentioned in old answers that are no longer here follow this link Useful Threads. If this post was useful, click the Like This button over there ======>>>>>. Link to comment Share on other sites More sharing options...
Ken44 Posted June 24, 2012 Share Posted June 24, 2012 Hi Heather. Thank You for posting this I had a problem with OpenSSL not finding the Config file To set the config file location Open a DOS box and Type set OPENSSL_CONF=c:\openssl-win32\bin\openssl.cfg Now navigate to the openssl.exe and run it. Ken Link to comment Share on other sites More sharing options...
♥Biancoblu Posted June 24, 2012 Share Posted June 24, 2012 Thanks so much Heather. That'll be on my to do list for when I get back to the office next week. ~ Don't mistake my kindness for weakness ~ Link to comment Share on other sites More sharing options...
Mort-lemur Posted June 26, 2012 Author Share Posted June 26, 2012 Thanks All, hope it works for you - post any improvements or corrections as you find them. One of the reasons I took the time to document and post the solution was that I have a bad memory - and If I post the solution here I know where to find it if I need it in future :blink: Now running on a fully modded, Mobile Friendly 2.3.4 Store with the Excellent MTS installed - See my profile for the mods installed ..... So much thanks for all the help given along the way by forum members. Link to comment Share on other sites More sharing options...
♥Biancoblu Posted July 3, 2012 Share Posted July 3, 2012 I installed this, turned out to be very easy thanks to your terrific walkthrough! :) I do wonder about this though: upon creating the private key DOS gave this warning: "unable to write "random state".....anybody knows what it means and if it's important? My buttons got encrypted alright, and test purchases were successful. ~ Don't mistake my kindness for weakness ~ Link to comment Share on other sites More sharing options...
Mort-lemur Posted July 3, 2012 Author Share Posted July 3, 2012 @@Biancoblu This post from stackoverflow may give you the answer : http://stackoverflow.com/questions/94445/using-openssl-what-does-unable-to-write-random-state-mean It looks like it is a writing permissions error - but reading some other stuff on the net I dont think it is much to worry about. Now running on a fully modded, Mobile Friendly 2.3.4 Store with the Excellent MTS installed - See my profile for the mods installed ..... So much thanks for all the help given along the way by forum members. Link to comment Share on other sites More sharing options...
♥Biancoblu Posted July 5, 2012 Share Posted July 5, 2012 Thanks for the link Heather, I have searched google too and it seems this is about file permissions on a .rnd file, but I have no such file (or at least I can't find it, it's not in opensll nor anywhere else that I can see). I tried generating the private key and cert from another computer and didn't get the error, so that fixed the issue for me. ~ Don't mistake my kindness for weakness ~ Link to comment Share on other sites More sharing options...
motorcity Posted July 18, 2012 Share Posted July 18, 2012 I'm not sure what the problem is but I can't seem to get this working. All I get is; We were unable to decrypt the certificate id. I'm running PayPal Standard Link to comment Share on other sites More sharing options...
Mort-lemur Posted July 18, 2012 Author Share Posted July 18, 2012 Check that the certificates have been uploaded to your paypal account, that you are calling up the correct certificate ID in your admin and that all the paths in admin are correct. Now running on a fully modded, Mobile Friendly 2.3.4 Store with the Excellent MTS installed - See my profile for the mods installed ..... So much thanks for all the help given along the way by forum members. Link to comment Share on other sites More sharing options...
motorcity Posted July 18, 2012 Share Posted July 18, 2012 Check that the certificates have been uploaded to your paypal account, that you are calling up the correct certificate ID in your admin and that all the paths in admin are correct. Thanks Heather, I've actually got a guy placing orders over & over changing the prices, trying to trip us up, so this has been something of a priority for me. I've probably gone through this proceedure at least 10 times in the past 24 hours, same result every time. I thought it might be the openssl version, as the one you used is no longer on that site. So this is the same result with two different openssl versions Win32 OpenSSL v0.9.8x Light (unless your v0.9.8g was in error) and Win32 OpenSSL v1.0.1c Light I thought there might be a problem with use of caps in the cert displayed at PayPal as Certifying Authority - nope! And I played around some with the location of the files on the server - nope. I went to PayPal for help but they're very limited in what they know or have to suggest. Somewhere I thought I saw mentioned the openssl in the php configuration and possible conflicts, cant find that now. Link to comment Share on other sites More sharing options...
Mort-lemur Posted July 18, 2012 Author Share Posted July 18, 2012 Try the post at the bottom of this thread by Satish: http://www.oscommerce.com/forums/topic/309692-paypal-we-were-unable-to-decrypt-the-certificate-id/ Now running on a fully modded, Mobile Friendly 2.3.4 Store with the Excellent MTS installed - See my profile for the mods installed ..... So much thanks for all the help given along the way by forum members. Link to comment Share on other sites More sharing options...
motorcity Posted July 18, 2012 Share Posted July 18, 2012 Thanks again Heather. If half the people I deal with in life were as helpful and attentive to details as you, things would be so much better. Unfortunately their not anywhere close. But also I played around with that setting as well, and dog-gone it! That doesn't seem to make any difference either. We're running PayPal Standard on RC2a but perhaps I should mention we used to run PayPal IPN and a fair amount of the files from IPN are still active on the site. This was left that way so we could see the old payment activity on repeat customers, I doubt it matters but? Link to comment Share on other sites More sharing options...
Mort-lemur Posted July 18, 2012 Author Share Posted July 18, 2012 Im using the system on 2.2 RC2a with paypal IPN and it works fine - Pm me your email address if you like and I will generate a couple of certs on my system for you to try? May be a few days though as we are closing tomorrow pm for new computers to be installed. Now running on a fully modded, Mobile Friendly 2.3.4 Store with the Excellent MTS installed - See my profile for the mods installed ..... So much thanks for all the help given along the way by forum members. Link to comment Share on other sites More sharing options...
Mort-lemur Posted July 18, 2012 Author Share Posted July 18, 2012 Joe, Generated a couple of certs using your company details, but I need an email address to send them to Now running on a fully modded, Mobile Friendly 2.3.4 Store with the Excellent MTS installed - See my profile for the mods installed ..... So much thanks for all the help given along the way by forum members. Link to comment Share on other sites More sharing options...
thejudge99 Posted September 1, 2012 Share Posted September 1, 2012 can anyone say if this also affects paypal express ? - had a look around but could only find confirmation for paypal standard. Link to comment Share on other sites More sharing options...
Harald Ponce de Leon Posted September 1, 2012 Share Posted September 1, 2012 Hi Heather.. Great post! A minor correction: If, like me, you dont always check the order value against your paypal account this may not get picked up and the order may be shipped, which to me is an unacceptable vulnerability. It does get picked up! The PayPal IPN verification adds the following similar line to the order status comment if the PayPal total does not match the order total: PayPal transaction value (2.00) does not match order value (50.00) , osCommerce Link to comment Share on other sites More sharing options...
Harald Ponce de Leon Posted September 1, 2012 Share Posted September 1, 2012 can anyone say if this also affects paypal express ? - had a look around but could only find confirmation for paypal standard. Encrypting the parameters is only available for the PayPal Website Payments Standard module. The PayPal Express Checkout module uses another PayPal API which is further tightened/secured compared to the Standard module. , osCommerce Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.