Jump to content

Archived

This topic is now archived and is closed to further replies.

SecurePay

Security Vulnerabilities in Payment Modules

Recommended Posts

We have found that the majority of the included payment modules in the latest stable version of osCommerce (v2.3.3) are vulnerable and would like to report them to the developers.

 

As an example, we found that the NOCHEX module is vulnerable and it is possible to place an order without actually paying. This is because the before_process function in nochex.php is empty and it does not check the order information (e.g., order number, total price). Actually, NOCHEX is one of the modules we found vulnerable. There are many more including important ones like Paypal. We believe that security issues in the payment modules are very important and should be fixed as soon as possible.

 

Since the vulnerabilities may be exploited in many deployed systems, we are not publicly disclosing the details here. If you are the developer of osCommerce, please contact us for details.

Share this post


Link to post
Share on other sites

@@SecurePay

 

 

lol.....you posted on a public forum, therefore your unconfirmed claims have been made public. Also, if you are from securepay, then you already know how to contact the developers. As far as I can see, v2.3.3 does not have a payment module vulnerability. However, please submit your fixes on GITHUB for review.

 

 

 

 

Chris


:|: Was this post helpful ? Click the LIKE THIS button :|:

 

See my Profile to learn more about add ons, templates, support plans and custom coding (click here)

Share this post


Link to post
Share on other sites

We are security researchers not affiliated with any payment services. Sorry if the user name caused confusion. We believe the vulnerabilities detected have not been reported or publicly disclosed before. They have not yet been confirmed by the osCommerce developers, but we have successfully exploited them in our test environment. We did try to contact the developers multiple times but only Nick got back to us, who is no longer with the team.

Share this post


Link to post
Share on other sites

×