quicklyshop Posted January 16, 2005 Share Posted January 16, 2005 I have received an order today at quicklyshop.com for 2 Arctic silvers at ?3.95 each, ?7.90 in total and paid with nochex. Buyer some how managed to skip the shipping and went to payment page. So to find out did he manage doing this i logged in with my test account and placed 2 arctic silvers to my basket and went to checkout but i could not skip the shipping section as this buyer did. So how this is happened and how can we prevented to happen again. I can't type a trick like i can type. Link to comment Share on other sites More sharing options...
boxtel Posted January 16, 2005 Share Posted January 16, 2005 I have received an order today at quicklyshop.com for 2 Arctic silvers at ?3.95 each, ?7.90 in total and paid with nochex. Buyer some how managed to skip the shipping and went to payment page. So to find out did he manage doing this i logged in with my test account and placed 2 arctic silvers to my basket and went to checkout but i could not skip the shipping section as this buyer did. So how this is happened and how can we prevented to happen again. <{POST_SNAPBACK}> well, you either created your own loophole or your analysis of what happened is not totally correct. Suggest you review your SSL server logs, they can tell you. Treasurer MFC Link to comment Share on other sites More sharing options...
quicklyshop Posted January 16, 2005 Author Share Posted January 16, 2005 Okey i didnt create my loophole . Seems like any customer who knows about the checkout procedure of oscommerce can alter the payment on checkout. All they have to the get the document source in html modify the form values and submit to checkout. So i assume this could be done with most of the shopping cart scripts in the market. So the best way is doing security check on every payment and order . Altough you could get your payment script to do this job for you when the payment received . Check the Payment ID, price of induvidual items in order and shipping charge against the database and if all correct script accepts the payment place the order if it doesnt it will fail the order I can't type a trick like i can type. Link to comment Share on other sites More sharing options...
quicklyshop Posted January 16, 2005 Author Share Posted January 16, 2005 By the payment method used on above sitiaution was NOCHEX I can't type a trick like i can type. Link to comment Share on other sites More sharing options...
boxtel Posted January 16, 2005 Share Posted January 16, 2005 Okey i didnt create my loophole . Seems like any customer who knows about the checkout procedure of oscommerce can alter the payment on checkout. All they have to the get the document source in html modify the form values and submit to checkout. So i assume this could be done with most of the shopping cart scripts in the market. So the best way is doing security check on every payment and order . Altough you could get your payment script to do this job for you when the payment received . Check the Payment ID, price of induvidual items in order and shipping charge against the database and if all correct script accepts the payment place the order if it doesnt it will fail the order <{POST_SNAPBACK}> Ok, if this is all it takes : "All they have to the get the document source in html modify the form values and submit to checkout" whatever that means, I suggest you try it out on my site and I will call you Sir forever. Treasurer MFC Link to comment Share on other sites More sharing options...
boxtel Posted January 16, 2005 Share Posted January 16, 2005 By the payment method used on above sitiaution was NOCHEX <{POST_SNAPBACK}> ok, I don't use that but you were talking about bypassing the checkout_shipping Treasurer MFC Link to comment Share on other sites More sharing options...
Guest Posted January 16, 2005 Share Posted January 16, 2005 ok, I don't use that but you were talking about bypassing the checkout_shipping <{POST_SNAPBACK}> You can also bypass it by entering the checkout_confirmation.php URL in the address bar from shopping_cart.php and hitting enter. Link to comment Share on other sites More sharing options...
Guest Posted January 16, 2005 Share Posted January 16, 2005 Okey i didnt create my loophole . Seems like any customer who knows about the checkout procedure of oscommerce can alter the payment on checkout. All they have to the get the document source in html modify the form values and submit to checkout.... Could be a variable injection issue. Not sure. do you have register globals enabled ? If so, then that could be the loophole that is being used Rich. Link to comment Share on other sites More sharing options...
boxtel Posted January 16, 2005 Share Posted January 16, 2005 You can also bypass it by entering the checkout_confirmation.php URL in the address bar from shopping_cart.php and hitting enter. <{POST_SNAPBACK}> no, that takes you back to checkout_shipping sorry Treasurer MFC Link to comment Share on other sites More sharing options...
Guest Posted January 16, 2005 Share Posted January 16, 2005 no, that takes you back to checkout_shipping sorry <{POST_SNAPBACK}> On yours it does, but not on his...................... Set up an account and try it. Link to comment Share on other sites More sharing options...
boxtel Posted January 16, 2005 Share Posted January 16, 2005 On yours it does, but not on his...................... Set up an account and try it. <{POST_SNAPBACK}> well, that tells me that this is not a security issue with oscommerce. It might be a security issue with a contribution used. Treasurer MFC Link to comment Share on other sites More sharing options...
Guest Posted January 16, 2005 Share Posted January 16, 2005 I have received an order today at quicklyshop.com for 2 Arctic silvers at ?3.95 each, ?7.90 in total and paid with nochex. Buyer some how managed to skip the shipping and went to payment page. So to find out did he manage doing this i logged in with my test account and placed 2 arctic silvers to my basket and went to checkout but i could not skip the shipping section as this buyer did. So how this is happened and how can we prevented to happen again. <{POST_SNAPBACK}> I just noticed the reference to 2.1. Have you considered upgrading to 2.2? Link to comment Share on other sites More sharing options...
quicklyshop Posted January 16, 2005 Author Share Posted January 16, 2005 I just noticed the reference to 2.1. Have you considered upgrading to 2.2? <{POST_SNAPBACK}> I modified the 2.1 so heavily it would be really difficult to Upgrade 2.2. But i am planning to rebuild \the site in near feature with 2.2 I can't type a trick like i can type. Link to comment Share on other sites More sharing options...
quicklyshop Posted January 16, 2005 Author Share Posted January 16, 2005 well, that tells me that this is not a security issue with oscommerce. It might be a security issue with a contribution used. <{POST_SNAPBACK}> Well there is no additional contribution used on checkout. I can't type a trick like i can type. Link to comment Share on other sites More sharing options...
quicklyshop Posted January 16, 2005 Author Share Posted January 16, 2005 Okey i found the problem http://secunia.com/advisories/10443/ The problem is that the "country" parameter isn't properly validated in various scripts including "create_account_process.php" and "account_edit_process.php". This can potentially be exploited to manipulate SQL queries. Also the "products_id" isn't properly validated when a user adds an item to the shopping cart. osCommerce 2.2ms1 has been reported vulnerable. So solution using 2.2 ms2 but currently that is out of question for me. I can't type a trick like i can type. Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.