Jump to content
  • Checkout
  • Login
  • Get in touch

osCommerce

The e-commerce.

HSBC secure-epayment module


Guest

Recommended Posts

Actually I'm wondering if my conf is wrong at some point

 

define('HTTP_SERVER', 'https://www.chillows.co.uk'); // eg, http://localhost - should not be empty for productive servers

define('HTTPS_SERVER', 'https://www.chillows.co.uk'); // eg, https://localhost - should not be empty for productive servers

define('ENABLE_SSL', true); // secure webserver for checkout procedure?

define('HTTP_COOKIE_DOMAIN', '212.241.196.235');

define('HTTPS_COOKIE_DOMAIN', '212.241.196.235');

define('HTTP_COOKIE_PATH', '/catalog/');

define('HTTPS_COOKIE_PATH', '/catalog/');

define('DIR_WS_HTTP_CATALOG', '/catalog/');

define('DIR_WS_HTTPS_CATALOG', '/catalog/');

define('DIR_WS_IMAGES', 'images/');

define('DIR_WS_ICONS', DIR_WS_IMAGES . 'icons/');

define('DIR_WS_INCLUDES', 'includes/');

define('DIR_WS_BOXES', DIR_WS_INCLUDES . 'boxes/');

define('DIR_WS_FUNCTIONS', DIR_WS_INCLUDES . 'functions/');

define('DIR_WS_CLASSES', DIR_WS_INCLUDES . 'classes/');

define('DIR_WS_MODULES', DIR_WS_INCLUDES . 'modules/');

define('DIR_WS_LANGUAGES', DIR_WS_INCLUDES . 'languages/');

define('DIR_WS_DOWNLOAD_PUBLIC', 'pub/');

define('DIR_FS_CATALOG', '/var/www/vhosts/chillows.co.uk/httpsdocs/catalog/');

define('DIR_FS_DOWNLOAD', DIR_FS_CATALOG . 'download/');

define('DIR_FS_DOWNLOAD_PUBLIC', DIR_FS_CATALOG . 'pub/');

Link to comment
Share on other sites

  • Replies 1.2k
  • Created
  • Last Reply

Top Posters In This Topic

Well there are loads of problems with that.

 

1. You don't have a trusted ssl cert at all - you only have a non-trusted (self-signed) ssl cert made out to Plesk.

2. With Plesk (at least the way your hosts have it set up) you have to use a two folder system and you've put everything in the httpsdocs folder and nothing in the httpdocs folder - so you'll never get any search engine rankings (they don't rank https pages).

 

Basically you need a proper (trusted) ssl cert, and to get your hosts to symbolically link the httpsdocs folder to the httpdocs folder - and then you only need to keep a copy of your files in the httpdocs folder.

 

Vger

Link to comment
Share on other sites

Well there are loads of problems with that.

 

1. You don't have a trusted ssl cert at all - you only have a non-trusted (self-signed) ssl cert made out to Plesk.

2. With Plesk (at least the way your hosts have it set up) you have to use a two folder system and you've put everything in the httpsdocs folder and nothing in the httpdocs folder - so you'll never get any search engine rankings (they don't rank https pages).

 

Basically you need a proper (trusted) ssl cert, and to get your hosts to symbolically link the httpsdocs folder to the httpdocs folder - and then you only need to keep a copy of your files in the httpdocs folder.

 

Vger

 

Thanks Vger, whats the best way for me to get a trusted ssl? Can you get one for free?

I'll see what I can sort out with the hosting re the httpsdocs folder, I did initially have the store installed in the normal http folder but moved it. How does the symbolic linking work by the way? Is it like a mirroring of the httpsdocs folder? Would all the domain names appear as https in the browser then?

 

Feel a bit better know I've got some feedback from somebody who knows whats going on, thanks again.

 

Mat

Link to comment
Share on other sites

No, you can't get a Trusted ssl cert for free as they are all commercially sold ssl certificates e.g. Geotrust, GoDaddy, Thawte, VeriSign etc. Your site also has to have its own dedicated ip address to be able to have a full ssl cert on a shared server.

 

Your hosting company has to set up the symbolic link from the httpsdocs to the httpdocs folder - and using Plesk it's not easy to achieve. Any https request is diverted to the httpdocs folder, but fooled into thinking it's in the httpsdocs folder, so it works fine.

 

Vger

Edited by Vger
Link to comment
Share on other sites

OK i am stuck, stuck and even more stuck!

 

OK i installed the version 3.1 it did not work so i have removed it and installed version 3.0... I think i have confused myself on this issue!!

 

I followed all the instructions on the readme file but i still get the following error when i try and run through a test transaction:

 

Warning: exec() [function.exec]: Unable to fork [E:\sites2\oneAdmin41\shop\cgi-bin TestHash.exe "zOR1mj9kBux14oZkIL/FmCtCX0JPwkxT" "http://URL/shop/checkout_process.php" "http://URL/shop/hsbc_return.php" "Tactical Things order" "Order 06221-045354" "4800" "826" "UK............GBP" "1155225234000" "Auth" "8te9t1dfh5df1u42apfl2q8fo3" "8411 White Cross" "Lancaster" "826" "Lancashire" "Graham" "Wilson" "la1 5fb" "[email protected]" "8411 White add1" "town" "826" "county" "Graham" "Wilson" "la1 5fb" "T" 2>&1] in E:\sites2\oneAdmin41\shop\includes\modules\payment\hsbc.php on line 96

 

I have attempted to solve this in a couple of ways but niether seems to work.

 

E:\sites2\oneAdmin41\shop\includes\modules\payment\hsbc.php

 

file looks like this:

 

 //Function to generate a hash to perform the POST or to check received parameters
	function getHash($fields)
	{
			$cmd="";
			reset($fields);
			while(list($k,$v)=each($fields))
			{
					$cmd.=" \"$v\" ";
			}

			//Path where the TestHash.e executable is located
			$path='E:\sites2\oneAdmin41\shop\cgi-bin';	

			putenv("LD_LIBRARY_PATH=$path");

			//Executes the TestHash to get the hash
			$cmd="$path TestHash.exe \"".MODULE_PAYMENT_HSBC_HASH."\" $cmd 2>&1";


			$ret=exec($cmd, $output);

			$ret=split(':',$ret);

			//Returns the hash
			$hash=trim($ret[1]);					
			return($hash);
	}

 

Obviously the rest is the same as the standard file. I have used the .exe version of the CPI intergration files. All i have done is copy the 3 executable files into the file "cgi-bin". If i ignore the error and click continue on my order i then get a further error:

 

Warning: exec() [function.exec]: Unable to fork [E:\sites2\oneAdmin41\shop\cgi-bin TestHash.exe "HASH KEY" "UK............GBP" "Order 06221-045354" "4800" "826" "1155225910751" "[email protected]" "8te9t1dfh5df1u42apfl2q8fo3" "10" 2>&1] in E:\sites2\oneAdmin41\shop\includes\modules\payment\hsbc.php on line 96

Hacking attempt!

 

I presume that they are related and one occurs because of another.

 

In the admin section i have everything setup correctly that i am pretty sure off.

 

The only thing i can think of is that i am not using a secure connection currently but in my opinion that should not be an issue as the error occurs before any data is passed to HSBC.com/servlet page.

 

Can any one help? I am at my wit ends with this!

 

My server configeration is

 

IIS 6.0

Windows 2k3

MySQL >> Latest Stable

PHP >> 5

 

Any help would be more than greatly appreciated!

 

PS Note: This is a virgin installation of oscommerce MS2.2 so no other contribs installed!

 

Many Thanks

Link to comment
Share on other sites

If you read the HSBC Requirements they will tell you that you have to connect using https - so "Yes" it is an issue.

 

But you also require certain files to be loaded on the shared library of the server you're using, and for cURL to be compiled into php, plus the three files to be loaded into the cgi bin and set to permissions of 755.

 

Vger

Link to comment
Share on other sites

If you read the HSBC Requirements they will tell you that you have to connect using https - so "Yes" it is an issue.

 

But you also require certain files to be loaded on the shared library of the server you're using, and for cURL to be compiled into php, plus the three files to be loaded into the cgi bin and set to permissions of 755.

 

Vger

 

 

OK the cgi bin files have the correct permission. Could you elaborate on the following: "cURL to be compiled into php"? I am not 100% sure what you mean by this. I will shift all the files to a secure connection.

 

Many Thanks for your prompt reply

 

PS: Would the fact that the files are not stored in a secure area really cause the "Unable to Fork..."

Link to comment
Share on other sites

To find out if cURL (which applies basic encryption) is compiled into PHP go to your osCommerce admin panel --> Tools --> Server Info and take a look. It will tell you if cURL is availabel or not.

 

I don't know if the 'unable to fork' error is caused by ssl problems, but it may be caused by the ssl server (if it is seperate) being unable to communicate properly with the non-ssl server.

 

It might help if we knew your URL and who you are hosted with.

 

Vger

Link to comment
Share on other sites

I can't get the order_id numbers to match. I get one number on the hsbc page, a slightly different one in the e-mail confirming the order and a different one altogether in admin orders.

 

I seem to be going around in circles with the advice in the forum so would appreciate it if anyone could give my the idiots guide to sorting the order_id's.

 

Thanks

Janette

Link to comment
Share on other sites

I can't get the order_id numbers to match. I get one number on the hsbc page, a slightly different one in the e-mail confirming the order and a different one altogether in admin orders.

 

I seem to be going around in circles with the advice in the forum so would appreciate it if anyone could give my the idiots guide to sorting the order_id's.

 

Thanks

Janette

 

 

Fiddled a bit more and now the order number from hsbc and the one that is e-mailed to the person placing the order match but the one showing in the admin orders and on the customers history page is just a 0 !?!?!?

 

J

Link to comment
Share on other sites

OK the cgi bin files have the correct permission. Could you elaborate on the following: "cURL to be compiled into php"? I am not 100% sure what you mean by this. I will shift all the files to a secure connection.

 

Many Thanks for your prompt reply

 

PS: Would the fact that the files are not stored in a secure area really cause the "Unable to Fork..."

 

 

OK....

 

I am having serious problems with getting this working on a Windows Server. If possible could somebody who has the |HSBC module running on a Windows platform contact me via email. I have been in converstations with Vger who was very helpfull but unfortunatly he does not run on a windows platform. As i promised with Vger i will post the solution when we get it working so that any future "windows runners" can install this great mod, problem free!

 

Many Thanks

 

Graham

Link to comment
Share on other sites

What are the server/setup requirements for running this paymet module?

 

I get the infamous HACKING ATTEMPT! error

 

I also added the hashcode output so I get this now but I'm not sure what it means:

 

Hacking atempt! - orderHash=WRfZoUdA0X9hDr1BeBKkpTzwWhE= hash=line 1

 

Any help is appreciated!

Link to comment
Share on other sites

OK the cgi bin files have the correct permission. Could you elaborate on the following: "cURL to be compiled into php"? I am not 100% sure what you mean by this. I will shift all the files to a secure connection.

 

Many Thanks for your prompt reply

 

PS: Would the fact that the files are not stored in a secure area really cause the "Unable to Fork..."

 

 

OK you need to give the cmd.exe read and execute privilages via the internet guest user. After you have done this your error message will transform from the infamous "unable to fork" to the more famous "hacking attempt" I am now going to add the Hash output and try to debug that!

Link to comment
Share on other sites

I did the same thing myself. I think it means that the hash isn't being generated properly. Make sure your server can compile c files. I've got my site on shared hosting and I'm currently trying to figure a way of using mhash and mcrypt instead of using the cgibin files such as TestHash.

 

If anyone still has the module somewhere please PM me.

 

OK...

 

I added to the hsbc_return.php

 

if ($order_hash!=$hash) die ("Hacking atempt! - orderHash=".$order_hash." hash=".$hash);

and it returned

Hacking atempt! - orderHash=RPLPyssj4XWsZTunXgZCK96B8Tk= hash=

Can anyone help me debug

 

Graham

Link to comment
Share on other sites

I did the same thing myself. I think it means that the hash isn't being generated properly. Make sure your server can compile c files. I've got my site on shared hosting and I'm currently trying to figure a way of using mhash and mcrypt instead of using the cgibin files such as TestHash.

 

If anyone still has the module somewhere please PM me.

 

Yeah im running a windows based IIS server. I am a bit out of my depth when you start talking about compiling C files!

 

Any Help?

Link to comment
Share on other sites

SSL can be shared, but if you are paying all that money to use HSBC secure e-Payments then I'd spend the few extra pounds and have full ssl installed.

 

Vger

 

Hi all, thanks for the tips previously Vger, I've installed a SSL cert for my site now, a trial one from Thawte but I get a message popping up when hitting the site saying there is a mismatch between www.chillows.co.uk and chillow.co.uk - I cant work out what I've done wrong there.

 

I'm also getting the hacking attempt, could this be because of the above mentioned problem on my cert?

 

Not going to give up on this one!

 

https://www.chillows.co.uk/catalog/

Link to comment
Share on other sites

Hi,

 

The SSL error you are getting is exactly as you said. The SSL was issued to chillows.co.uk but your site's URL is www.chillows.co.uk. You could change the configure.php file and remove the www from the HTTPS_CATALOG_SERVER path, this will at least cure that problem.

 

With regards to the HSBC hacking attempt problem, unfortunately the SSL is not the problem and this is most likely caused by the Hash key not be generated or is incorrect.

 

Good luck

 

Neil Westlake

Link to comment
Share on other sites

Hi,

 

The SSL error you are getting is exactly as you said. The SSL was issued to chillows.co.uk but your site's URL is www.chillows.co.uk. You could change the configure.php file and remove the www from the HTTPS_CATALOG_SERVER path, this will at least cure that problem.

 

With regards to the HSBC hacking attempt problem, unfortunately the SSL is not the problem and this is most likely caused by the Hash key not be generated or is incorrect.

 

Good luck

 

Neil Westlake

 

Hi thanks Neil, I've created a new cert now that matches up the domain, I may be wrong but I think this is just because I am using a Thawte Test CA root for now.

 

I only see HTTPS_CATALOG_SERVER in the admin configure.php and there is no path at all in this currently, aI also spotted that in both I can see that define('ENABLE_SSL_CATALOG') is set to false. Should this be set to true?

Link to comment
Share on other sites

Hi thanks Neil, I've created a new cert now that matches up the domain, I may be wrong but I think this is just because I am using a Thawte Test CA root for now.

 

I only see HTTPS_CATALOG_SERVER in the admin configure.php and there is no path at all in this currently, aI also spotted that in both I can see that define('ENABLE_SSL_CATALOG') is set to false. Should this be set to true?

 

Ahh whoops, looks like I just uploaded blank configure files to my site! Not a good move

Link to comment
Share on other sites

Your configure file should be set as follows:

 

  define('HTTP_SERVER', 'http://www.chillows.co.uk'); // 
 define('HTTP_CATALOG_SERVER', 'http://www.chillows.co.uk');
 define('HTTPS_CATALOG_SERVER', 'https://www.chillows.co.uk');
 define('ENABLE_SSL_CATALOG', 'true'); // secure webserver for catalog module

 

It doesn't matter if you use a non trusted root certifcate, all HSBC is interested in is seeing a post from a https URL.

 

Neil Westlake

Link to comment
Share on other sites

Your configure file should be set as follows:

 

  define('HTTP_SERVER', 'http://www.chillows.co.uk'); // 
 define('HTTP_CATALOG_SERVER', 'http://www.chillows.co.uk');
 define('HTTPS_CATALOG_SERVER', 'https://www.chillows.co.uk');
 define('ENABLE_SSL_CATALOG', 'true'); // secure webserver for catalog module

 

It doesn't matter if you use a non trusted root certifcate, all HSBC is interested in is seeing a post from a https URL.

 

Neil Westlake

 

OK, thats good to know about the root cert. I've got the above settings in now although I could only find the above settings verbatim in the admin configure file, but I'm still getting the hacking attempt. I'm wondering what is the first step of tackling this message, I've changed the PHP to display the hashes as per previous posts in this topic, they dont appear to match!

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Unfortunately, your content contains terms that we do not allow. Please edit your content to remove the highlighted words below.
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...