Jump to content

Archived

This topic is now archived and is closed to further replies.

Mort-lemur

Closing the Paypal Checkout Confirmation Exploit

Recommended Posts

Starting a new Thread for this so it is easier for others to find if needed.

 

Adding Encryption to Paypal to Prevent Checkout_Confirmation Exploit

***********************************************************************************

As standard, Paypal standard and Paypal IPN modules use hidden fields to post data to paypal. (I can not comment on Paypal Express as I dont use it)

 

It is possible on the checkout_confirmation page, using a tool such as firebug to view and modify these hidden fields, changing the value that is posted to paypal and paying pennies for an order that should cost £££££.

 

If, like me, you dont always check the order value against your paypal account this may not get picked up and the order may be shipped, which to me is an unacceptable vulnerability.

 

The following steps, detail how to install the paypal encryption system which will encrypt these hidden fields prior to submission, so a mischievious shopper cannot alter the order value. This is a feature in the Paypal payment modules that is often ignored.

 

This has been tested on several of my OSC 2.2RC2a stores using the Paypal IPN module, and having looked at the Paypal Standard module on OSC 2.3.1 I can see no reason why it wont work on that either.

 

I take no credit for this, all I have done is pull together information from various posts and tried to put the steps in a logical manner.

 

Installation

=========

 

1) Download and install the openSSL software (Win32 OpenSSL v0.9.8g Light) to your computer from: http://slproweb.com/products/Win32OpenSSL.html

 

For the open ssl software to function correctly you may need to download and install windows Visual c++ from:

http://www.microsoft.com/en-us/download/details.aspx?id=5555

 

The openssl installer will tell you if you need to do this or not.

----------------------------------------------------------------------------------------

2) On your computer open the directory C:\OpenSSL\bin and double click on the file: openssl.exe this will open a dos dialogue box.

----------------------------------------------------------------------------------------

3) Type into this box:

 

genrsa -out my-prvkey.pem 1024

 

It is ESSENTIAL that you get the spaces and dashes exactly as they appear above. This will generate and save your private key to C:\OpenSSL\bin

----------------------------------------------------------------------------------------

4) Again at the command prompt, type:

 

req -config c:\openssl\bin\openssl.cfg -new -key my-prvkey.pem -x509 -days 3650 -out my-pubcert.pem

 

Again it is ESSENTIAL that you get the spaces and dashes exactly as they appear above. The system will ask for details such as store name, email, country etc. This will generate and save your public key to C:\OpenSSL\bin - Change the figure after "Days" to change the validity of the certificate, I have opted for 10 years.

----------------------------------------------------------------------------------------

5) Go to your Paypal account, Profile, my selling preferences and at the bottom you will see: Encrypted Payment Settings. Click on this link.

----------------------------------------------------------------------------------------

6) On the page that opens, there are a couple of steps to complete:

 

First you need to download the paypal public certificate, so hit the "Download" button and save the file again to C:\OpenSSL\bin - It will be called: paypal_cert_pem.txt

 

Second you need to upload the Public certificate (my-pubcert.pem) that you created in openssl. So click on the add button and browse to C:\OpenSSL\bin and select my-pubcert.pem

 

Once public certificate has been added you will see that it has a Cert ID allocated to it, keep the page open as you will need the cert number in a little while.

----------------------------------------------------------------------------------------

7) Using an ftp programme such as filezilla, create a directory on your server to store the files. I set them above the public_html level in a directory called/bin/openssl/ so I will use that as the location for the rest of these instructions, if you use a different location then amend the instructions accordingly.

----------------------------------------------------------------------------------------

8) From C:\OpenSSL\bin upload the three files created previously (my-prvkey.pem, my-pubcert.pem and paypal_cert_pem.txt) to the directory created in step 7.

----------------------------------------------------------------------------------------

9) Go to your OSC Admin, select Modules, Payment, and the paypal module you are using and click "edit", at the bottom of the options you will see "Enable Encrypted Web Payments" this is the start of the options you need to fill. Set this to "True"

 

Below is how the rest of the fields should be filled:

 

Your Private Key: /home/yourusername/bin/openssl/my-prvkey.pem

 

Your Public Certificate: /home/yourusername/bin/openssl/my-pubcert.pem

 

PayPals Public Certificate: /home/yourusername/bin/openssl/paypal_cert_pem.txt

 

Your PayPal Public Certificate ID: The Certificate ID as mentioned at the bottom of step 6 above.

 

Working Directory: /home/yourusername/tmp/

 

OpenSSL Location: /home/yourusername/bin/openssl

 

Save the changes you have made.

=====================================================

 

Thats It ! Test out the system by making a trial purchase with paypal to make sure there are no errors. If there are, they are most likely due to incorrect paths being set in step 9 (if you used a different directory)

 

Also if you have firebug or similar installed, check prior to pressing confirm order that the hidden fields are in fact encrypted.

 

Enjoy.


Now running on a fully modded, Mobile Friendly 2.3.4 Store with the Excellent MTS installed - See my profile for the mods installed ..... So much thanks for all the help given along the way by forum members.

Share this post


Link to post
Share on other sites

I am sure that figuring all this out and putting it together took a lot of work. Thank you for taking the time to share this Heather. Accomplishing this is on my "to do" list for the week. Much appreciated.


I am not a professional webmaster or PHP coder by background or training but I will try to help as best I can.

I remember what it was like when I first started with osC. It can be overwhelming.

However, I strongly recommend considering hiring a professional for extensive site modifications, site cleaning, etc.

There are several good pros here on osCommerce. Look around, you'll figure out who they are.

Share this post


Link to post
Share on other sites

ditto

 

G


Need help installing add ons/contributions, cleaning a hacked site or a bespoke development, check my profile

 

Virus Threat Scanner

My Contributions

Basic install answers.

Click here for Contributions / Add Ons.

UK your site.

Site Move.

Basic design info.

 

For links mentioned in old answers that are no longer here follow this link Useful Threads.

 

If this post was useful, click the Like This button over there ======>>>>>.

Share this post


Link to post
Share on other sites

Hi Heather.

 

Thank You for posting this

 

I had a problem with OpenSSL not finding the Config file

 

To set the config file location

 

Open a DOS box and Type

 

set OPENSSL_CONF=c:\openssl-win32\bin\openssl.cfg

 

Now navigate to the openssl.exe and run it.

 

 

Ken

Share this post


Link to post
Share on other sites

Thanks so much Heather. That'll be on my to do list for when I get back to the office next week.


~ Don't mistake my kindness for weakness ~

Share this post


Link to post
Share on other sites

Thanks All, hope it works for you - post any improvements or corrections as you find them.

 

One of the reasons I took the time to document and post the solution was that I have a bad memory - and If I post the solution here I know where to find it if I need it in future :blink:


Now running on a fully modded, Mobile Friendly 2.3.4 Store with the Excellent MTS installed - See my profile for the mods installed ..... So much thanks for all the help given along the way by forum members.

Share this post


Link to post
Share on other sites

I installed this, turned out to be very easy thanks to your terrific walkthrough! :)

 

I do wonder about this though: upon creating the private key DOS gave this warning: "unable to write "random state".....anybody knows what it means and if it's important?

 

My buttons got encrypted alright, and test purchases were successful.


~ Don't mistake my kindness for weakness ~

Share this post


Link to post
Share on other sites

@@Biancoblu

 

This post from stackoverflow may give you the answer : http://stackoverflow.com/questions/94445/using-openssl-what-does-unable-to-write-random-state-mean

 

It looks like it is a writing permissions error - but reading some other stuff on the net I dont think it is much to worry about.


Now running on a fully modded, Mobile Friendly 2.3.4 Store with the Excellent MTS installed - See my profile for the mods installed ..... So much thanks for all the help given along the way by forum members.

Share this post


Link to post
Share on other sites

Thanks for the link Heather, I have searched google too and it seems this is about file permissions on a .rnd file, but I have no such file (or at least I can't find it, it's not in opensll nor anywhere else that I can see).

 

I tried generating the private key and cert from another computer and didn't get the error, so that fixed the issue for me.


~ Don't mistake my kindness for weakness ~

Share this post


Link to post
Share on other sites

I'm not sure what the problem is but I can't seem to get this working. All I get is;

We were unable to decrypt the certificate id.

I'm running PayPal Standard

Share this post


Link to post
Share on other sites

Check that the certificates have been uploaded to your paypal account, that you are calling up the correct certificate ID in your admin and that all the paths in admin are correct.


Now running on a fully modded, Mobile Friendly 2.3.4 Store with the Excellent MTS installed - See my profile for the mods installed ..... So much thanks for all the help given along the way by forum members.

Share this post


Link to post
Share on other sites
Check that the certificates have been uploaded to your paypal account, that you are calling up the correct certificate ID in your admin and that all the paths in admin are correct.

Thanks Heather,

I've actually got a guy placing orders over & over changing the prices, trying to trip us up, so this has been something of a priority for me.

I've probably gone through this proceedure at least 10 times in the past 24 hours, same result every time.

I thought it might be the openssl version, as the one you used is no longer on that site. So this is the same result with two different openssl versions Win32 OpenSSL v0.9.8x Light (unless your v0.9.8g was in error) and Win32 OpenSSL v1.0.1c Light

I thought there might be a problem with use of caps in the cert displayed at PayPal as Certifying Authority - nope!

And I played around some with the location of the files on the server - nope.

I went to PayPal for help but they're very limited in what they know or have to suggest.

Somewhere I thought I saw mentioned the openssl in the php configuration and possible conflicts, cant find that now.

Share this post


Link to post
Share on other sites

Now running on a fully modded, Mobile Friendly 2.3.4 Store with the Excellent MTS installed - See my profile for the mods installed ..... So much thanks for all the help given along the way by forum members.

Share this post


Link to post
Share on other sites

Thanks again Heather. If half the people I deal with in life were as helpful and attentive to details as you, things would be so much better. Unfortunately their not anywhere close.

But also I played around with that setting as well, and dog-gone it! That doesn't seem to make any difference either.

We're running PayPal Standard on RC2a but perhaps I should mention we used to run PayPal IPN and a fair amount of the files from IPN are still active on the site. This was left that way so we could see the old payment activity on repeat customers, I doubt it matters but?

Share this post


Link to post
Share on other sites

Im using the system on 2.2 RC2a with paypal IPN and it works fine - Pm me your email address if you like and I will generate a couple of certs on my system for you to try?

 

May be a few days though as we are closing tomorrow pm for new computers to be installed.


Now running on a fully modded, Mobile Friendly 2.3.4 Store with the Excellent MTS installed - See my profile for the mods installed ..... So much thanks for all the help given along the way by forum members.

Share this post


Link to post
Share on other sites

Joe,

 

Generated a couple of certs using your company details, but I need an email address to send them to


Now running on a fully modded, Mobile Friendly 2.3.4 Store with the Excellent MTS installed - See my profile for the mods installed ..... So much thanks for all the help given along the way by forum members.

Share this post


Link to post
Share on other sites

Hi Heather..

 

Great post!

 

A minor correction:

 

If, like me, you dont always check the order value against your paypal account this may not get picked up and the order may be shipped, which to me is an unacceptable vulnerability.

 

It does get picked up! The PayPal IPN verification adds the following similar line to the order status comment if the PayPal total does not match the order total:

 

PayPal transaction value (2.00) does not match order value (50.00)

:heart:, osCommerce

Share this post


Link to post
Share on other sites

can anyone say if this also affects paypal express ? - had a look around but could only find confirmation for paypal standard.

 

Encrypting the parameters is only available for the PayPal Website Payments Standard module. The PayPal Express Checkout module uses another PayPal API which is further tightened/secured compared to the Standard module.


:heart:, osCommerce

Share this post


Link to post
Share on other sites

×