Jump to content
  • Checkout
  • Login
  • Get in touch

osCommerce

The e-commerce.

Security issue - Possible to purchase without payment!


viswablr

Recommended Posts

Hello all,

 

I have not checked this on latest oscommerce, but I confirmed this in one of the distributions using oscommerce.

 

=> Add products to cart

 

=> Checkout and fill relevant information

 

=> Once the site redirects to payment gateway, manually type: http://store_name.com/checkout_process.php

 

=> Alas, the order is successful, without paying a penny!

 

=> If the product is downloadable, you already get links to download.

 

Thanks

Link to comment
Share on other sites

Hello all,

 

I have not checked this on latest oscommerce, but I confirmed this in one of the distributions using oscommerce.

 

=> Add products to cart

 

=> Checkout and fill relevant information

 

=> Once the site redirects to payment gateway, manually type: http://store_name.com/checkout_process.php

 

=> Alas, the order is successful, without paying a penny!

 

=> If the product is downloadable, you already get links to download.

 

Thanks

 

I can confirm that this works in v. 2.3.1 with the PayPal payment module but not the SagePay module... there is however a different issue where by you can obtain discounted products when using SagePay.

 

Has anyone been able to check the 2.3.3 updates that have been posted to Github to see if that fixes this problem?

 

Jandy

Link to comment
Share on other sites

I'd just like to add that if someone tricks the checkout in this way then, providing you have configured your payment gateway and store to send emails...

 

a) Customer bypasses PAYPAL: You will receive your regular 'order process' email from your store, but you WILL NOT receive a "Notification of Payment" from PayPal which should stick out enough to alert you that there is a problem with the order.

 

B) Customer tricks SAGEPAY: You will receive an notification of Payment (as you have to actually pay something) but the total paid on the SagePay email WILL NOT match the total on the order notification sent to you by your store.

 

So always check your emails before processing orders...

Link to comment
Share on other sites

A properly configured cart DOES NOT have any vulnerabilities. Check your settings if you think you have a problem.

 

 

 

Chris

Link to comment
Share on other sites

A properly configured cart DOES NOT have any vulnerabilities. Check your settings if you think you have a problem.

 

 

 

Chris

 

I know I have a problem as I can add orders without paying using "PayPal Website Payments Standard" and additionally I can add extra products for free using "Sage Pay Form".

 

I've checked my settings and I am sure that I have configured them correctly yet the problem still persists. If there's any chance you could cast your eye over these settings and see if there is a glaring error or something I have missed that would be great.

 

 

Here's my PayPal config:

 

Enable PayPal Website Payments Standard : True

E-Mail Address : pppayment@@MyWebSiteScripts.com

Payment Zone : --none--

Set Preparing Order Status : Preparing [PayPal Standard]

Set PayPal Acknowledged Order Status: Pending

Gateway Server: Live

Transaction Method: Sale

Page Style: <blank>

Debug E-Mail Address: ppdebug@@MyWebSiteScripts.com

Sort order of display. : 30

Enable Encrypted Web Payments: True

Your Private Key: /<somepath>/my-prvkey.pem

Your Public Certificate: /<somepath>/my-pubcert.pem

PayPals Public Certificate: /<somepath>/paypal_cert_pem.txt

Your PayPal Public Certificate ID: xxxxxxxxxxxxx

Working Directory: /<somepath>/work/

OpenSSL Location: /<somepath>/openssl

 

 

And here's SagePay

 

Enable Sage Pay Form Module : True

Vendor Login Name: xxxxxxxxxx <provided by sagepay>

Encryption Password: xxxxxxxxxxxxxxxx <provided by sagepay>

Transaction Method: Payment

Transaction Server: Live

Vendor E-Mail: sagepay@@MyWebSiteScripts.com

Send E-Mail: Customer and Vendor

Customer E-Mail Message: <blank>

Payment Zone: --none--

Set Order Status: Pending

Sort order of display.: 10

 

Many thanks

Jandy

Link to comment
Share on other sites

@@shamanix

 

Use PayPal Standard ONLY with Certificate Credentials or use PayPal Express with API. Like I said, a properly configured cart has no vulnerabilities.

 

 

Chris

Link to comment
Share on other sites

@@DunWeb

 

What's the difference between "PayPal Standard ONLY" that you mentioned and "PayPal Website Payments Standard" and where can I find the "PayPal Standard ONLY" module (as it's not listed on my install)

 

I have configured my "PayPal Website Payments Standard" module as detailed by @@Mort-lemur in http://www.oscommerce.com/forums/topic/387748-closing-the-paypal-checkout-confirmation-exploit/ Is that what you mean by Certificate Credentials?

 

I notice "PayPal Express Checkout" is available so will configure and try that too. Thanks!

 

Jandy

Link to comment
Share on other sites

@@shamanix

 

Use PayPal Standard ONLY with Certificate Credentials or use PayPal Express with API. Like I said, a properly configured cart has no vulnerabilities.

 

 

Chris

 

 

I too would like a properly configured cart with no vulnerabilities, but in order to achieve that I need some guidance.

I'm trying to establish if I have installed and configured the correct payment module or if I need to download and install a different one.

 

So question are:

 

- Is "PayPal Standard" (refered to above) the same payment module as "PayPal Website Payments Standard" which is listed in modules->payment on my default system install?

 

- If the answer is yes then:

Does "ONLY with Certificate Credentials" (refered to above) mean setting up this module with openssl as detailed in this post: http://www.oscommerce.com/forums/topic/387748-closing-the-paypal-checkout-confirmation-exploit/ ?

 

- If the answer is yes then:

Please can you look at my configuration listed above at point #7 and point me to what I have overlooked and how to go about properly configuring it. (ignore the email addresses because they have been converted to some bizzare @ mention by the forum software)

 

Help appreciated, Thank you

 

Jandy

Link to comment
Share on other sites

Hi All,

 

I do not see any additional configuration I need to do in shopping cart.

 

To me, the problem more looks like a flaw in the design.....

 

1) if I am selling physicaly products, I can always double check order versus payment, so no problem.

 

2) But, if I am going to sell virtual products (Downloable SW, tickets, vouchers, etc, where the cart will automatically enable download link or provide a voucher for download), this is a SERIOUS issue.

Link to comment
Share on other sites

If you are selling downloadable products, add the super download store addon. This i believe checks for a payment before allowing the download, or changing the order status to download available. If no payment is found, the order status does not change.

REMEMBER BACKUP, BACKUP AND BACKUP

Link to comment
Share on other sites

  • 4 weeks later...

=> If the product is downloadable, you already get links to download.

 

v2.2RC2 introduced download flags tied to the order status. Downloads are only made available depending on the order status. Downloads are disabled for the default order status (Pending) which "Set PayPal Acknowledged Order Status" is also set to by default.

:heart:, osCommerce

Link to comment
Share on other sites

To me, the problem more looks like a flaw in the design.....

 

1) if I am selling physicaly products, I can always double check order versus payment, so no problem.

 

2) But, if I am going to sell virtual products (Downloable SW, tickets, vouchers, etc, where the cart will automatically enable download link or provide a voucher for download), this is a SERIOUS issue.

 

It is not a flaw in design as the PayPal Instant Payment Notification (IPN) is used to verify the payment transaction.

 

Yes, with the PayPal Website Payments Standard payment module it is possible to skip the payment at PayPal and process the order through checkout_process.php. With this payment method it is not possible to verify who is accessing checkout_process.php. A check for the referrer can be added but this can be spoofed.

 

It is the way the PayPal Website Payments Standard feature works and affects all e-commerce solutions.

 

If there is no PayPal IPN message stored with the order, no payment in your PayPal account, and there is no sign of an IPN in your PayPal Account IPN History, then you can be sure the order is fake and the customer a fraud.

 

Downloadable products are not affected as of v2.2RC2 (from 2008) as downloads are only enabled for specific order statuses. Downloads are disabled for the default Pending order status that is used for new orders.

 

A more tightened and secure transaction design is available with the PayPal Express Checkout payment module.

:heart:, osCommerce

Link to comment
Share on other sites

I have to correct myself. I just read through the PayPal API documentation again and discovered it is possible to verify the transaction in checkout_process.php.

 

It is possible for PayPal to send the same parameters it sends with the IPN to checkout_process.php when the customer returns back to the store. Here we can validate the transaction and if PayPal verifies it, the order is processed as normal. If the parameters are missing or if PayPal declares the transaction invalid, the order processing is skipped and the customer is returned to the shopping cart page.

 

This will be included in PayPal Website Payments Standard v1.1 and osCommerce Online Merchant v2.3.4.

:heart:, osCommerce

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...