Closing the Paypal Checkout Confirmation Exploit

[Mort-lemur]

Starting a new Thread for this so it is easier for others to find if needed.

 

Adding Encryption to Paypal to Prevent Checkout_Confirmation Exploit

***********************************************************************************

As standard, Paypal standard and Paypal IPN modules use hidden fields to post data to paypal. (I can not comment on Paypal Express as I dont use it)

 

It is possible on the checkout_confirmation page, using a tool such as firebug to view and modify these hidden fields, changing the value that is posted to paypal and paying pennies for an order that should cost £££££.

 

If, like me, you dont always check the order value against your paypal account this may not get picked up and the order may be shipped, which to me is an unacceptable vulnerability.

 

The following steps, detail how to install the paypal encryption system which will encrypt these hidden fields prior to submission, so a mischievious shopper cannot alter the order value. This is a feature in the Paypal payment modules that is often ignored.

 

This has been tested on several of my OSC 2.2RC2a stores using the Paypal IPN module, and having looked at the Paypal Standard module on OSC 2.3.1 I can see no reason why it wont work on that either.

 

I take no credit for this, all I have done is pull together information from various posts and tried to put the steps in a logical manner.

 

Installation

=========

 

1) Download and install the openSSL software (Win32 OpenSSL v0.9.8g Light) to your computer from: http://slproweb.com/products/Win32OpenSSL.html

 

For the open ssl software to function correctly you may need to download and install windows Visual c++ from:

http://www.microsoft.com/en-us/download/details.aspx?id=5555

 

The openssl installer will tell you if you need to do this or not.

----------------------------------------------------------------------------------------

2) On your computer open the directory C:\OpenSSL\bin and double click on the file: openssl.exe this will open a dos dialogue box.

----------------------------------------------------------------------------------------

3) Type into this box:

 

genrsa -out my-prvkey.pem 1024

 

It is ESSENTIAL that you get the spaces and dashes exactly as they appear above. This will generate and save your private key to C:\OpenSSL\bin

----------------------------------------------------------------------------------------

4) Again at the command prompt, type:

 

req -config c:\openssl\bin\openssl.cfg -new -key my-prvkey.pem -x509 -days 3650 -out my-pubcert.pem

 

Again it is ESSENTIAL that you get the spaces and dashes exactly as they appear above. The system will ask for details such as store name, email, country etc. This will generate and save your public key to C:\OpenSSL\bin - Change the figure after "Days" to change the validity of the certificate, I have opted for 10 years.

----------------------------------------------------------------------------------------

5) Go to your Paypal account, Profile, my selling preferences and at the bottom you will see: Encrypted Payment Settings. Click on this link.

----------------------------------------------------------------------------------------

6) On the page that opens, there are a couple of steps to complete:

 

First you need to download the paypal public certificate, so hit the "Download" button and save the file again to C:\OpenSSL\bin - It will be called: paypal_cert_pem.txt

 

Second you need to upload the Public certificate (my-pubcert.pem) that you created in openssl. So click on the add button and browse to C:\OpenSSL\bin and select my-pubcert.pem

 

Once public certificate has been added you will see that it has a Cert ID allocated to it, keep the page open as you will need the cert number in a little while.

----------------------------------------------------------------------------------------

7) Using an ftp programme such as filezilla, create a directory on your server to store the files. I set them above the public_html level in a directory called/bin/openssl/ so I will use that as the location for the rest of these instructions, if you use a different location then amend the instructions accordingly.

----------------------------------------------------------------------------------------

8) From C:\OpenSSL\bin upload the three files created previously (my-prvkey.pem, my-pubcert.pem and paypal_cert_pem.txt) to the directory created in step 7.

----------------------------------------------------------------------------------------

9) Go to your OSC Admin, select Modules, Payment, and the paypal module you are using and click "edit", at the bottom of the options you will see "Enable Encrypted Web Payments" this is the start of the options you need to fill. Set this to "True"

 

Below is how the rest of the fields should be filled:

 

Your Private Key: /home/yourusername/bin/openssl/my-prvkey.pem

 

Your Public Certificate: /home/yourusername/bin/openssl/my-pubcert.pem

 

PayPals Public Certificate: /home/yourusername/bin/openssl/paypal_cert_pem.txt

 

Your PayPal Public Certificate ID: The Certificate ID as mentioned at the bottom of step 6 above.

 

Working Directory: /home/yourusername/tmp/

 

OpenSSL Location: /home/yourusername/bin/openssl

 

Save the changes you have made.

=====================================================

 

Thats It ! Test out the system by making a trial purchase with paypal to make sure there are no errors. If there are, they are most likely due to incorrect paths being set in step 9 (if you used a different directory)

 

Also if you have firebug or similar installed, check prior to pressing confirm order that the hidden fields are in fact encrypted.

 

Enjoy.

[♥altoid]

I am sure that figuring all this out and putting it together took a lot of work. Thank you for taking the time to share this Heather. Accomplishing this is on my "to do" list for the week. Much appreciated.

[♥geoffreywalton]

ditto

 

G

[Ken44]

Hi Heather.

 

Thank You for posting this

 

I had a problem with OpenSSL not finding the Config file

 

To set the config file location

 

Open a DOS box and Type

 

set OPENSSL_CONF=c:\openssl-win32\bin\openssl.cfg

 

Now navigate to the openssl.exe and run it.

 

 

Ken

[♥Biancoblu]

Thanks so much Heather. That'll be on my to do list for when I get back to the office next week.

[Mort-lemur]

Thanks All, hope it works for you - post any improvements or corrections as you find them.

 

One of the reasons I took the time to document and post the solution was that I have a bad memory - and If I post the solution here I know where to find it if I need it in future :blink:

[♥Biancoblu]

I installed this, turned out to be very easy thanks to your terrific walkthrough! :)

 

I do wonder about this though: upon creating the private key DOS gave this warning: "unable to write "random state".....anybody knows what it means and if it's important?

 

My buttons got encrypted alright, and test purchases were successful.

[Mort-lemur]

@@Biancoblu

 

This post from stackoverflow may give you the answer : http://stackoverflow.com/questions/94445/using-openssl-what-does-unable-to-write-random-state-mean

 

It looks like it is a writing permissions error - but reading some other stuff on the net I dont think it is much to worry about.

[♥Biancoblu]

Thanks for the link Heather, I have searched google too and it seems this is about file permissions on a .rnd file, but I have no such file (or at least I can't find it, it's not in opensll nor anywhere else that I can see).

 

I tried generating the private key and cert from another computer and didn't get the error, so that fixed the issue for me.

[motorcity]

I'm not sure what the problem is but I can't seem to get this working. All I get is;

We were unable to decrypt the certificate id.

I'm running PayPal Standard

[Mort-lemur]

Check that the certificates have been uploaded to your paypal account, that you are calling up the correct certificate ID in your admin and that all the paths in admin are correct.

[motorcity]

Check that the certificates have been uploaded to your paypal account, that you are calling up the correct certificate ID in your admin and that all the paths in admin are correct.

Thanks Heather,

I've actually got a guy placing orders over & over changing the prices, trying to trip us up, so this has been something of a priority for me.

I've probably gone through this proceedure at least 10 times in the past 24 hours, same result every time.

I thought it might be the openssl version, as the one you used is no longer on that site. So this is the same result with two different openssl versions Win32 OpenSSL v0.9.8x Light (unless your v0.9.8g was in error) and Win32 OpenSSL v1.0.1c Light

I thought there might be a problem with use of caps in the cert displayed at PayPal as Certifying Authority - nope!

And I played around some with the location of the files on the server - nope.

I went to PayPal for help but they're very limited in what they know or have to suggest.

Somewhere I thought I saw mentioned the openssl in the php configuration and possible conflicts, cant find that now.

[Mort-lemur]

Try the post at the bottom of this thread by Satish:

 

http://www.oscommerce.com/forums/topic/309692-paypal-we-were-unable-to-decrypt-the-certificate-id/

[motorcity]

Thanks again Heather. If half the people I deal with in life were as helpful and attentive to details as you, things would be so much better. Unfortunately their not anywhere close.

But also I played around with that setting as well, and dog-gone it! That doesn't seem to make any difference either.

We're running PayPal Standard on RC2a but perhaps I should mention we used to run PayPal IPN and a fair amount of the files from IPN are still active on the site. This was left that way so we could see the old payment activity on repeat customers, I doubt it matters but?

[Mort-lemur]

Im using the system on 2.2 RC2a with paypal IPN and it works fine - Pm me your email address if you like and I will generate a couple of certs on my system for you to try?

 

May be a few days though as we are closing tomorrow pm for new computers to be installed.

[Mort-lemur]

Joe,

 

Generated a couple of certs using your company details, but I need an email address to send them to

[thejudge99]

can anyone say if this also affects paypal express ? - had a look around but could only find confirmation for paypal standard.

[Harald Ponce de Leon]

Hi Heather..

 

Great post!

 

A minor correction:

 

If, like me, you dont always check the order value against your paypal account this may not get picked up and the order may be shipped, which to me is an unacceptable vulnerability.

 

It does get picked up! The PayPal IPN verification adds the following similar line to the order status comment if the PayPal total does not match the order total:

 

PayPal transaction value (2.00) does not match order value (50.00)

[Harald Ponce de Leon]

can anyone say if this also affects paypal express ? - had a look around but could only find confirmation for paypal standard.

 

Encrypting the parameters is only available for the PayPal Website Payments Standard module. The PayPal Express Checkout module uses another PayPal API which is further tightened/secured compared to the Standard module.