cpruissen Posted August 7, 2005 Posted August 7, 2005 Hi, In the last month I've had two people order downloads using false information, re: zzzzzzzzzz, 3333333333, etc. in the phone number address area and be able to get their order processed by bypassing both the paypal and my ecommerce gateway. I am stumped as to how their order gets processed and they actually receive the downloads without going through the gateways first. How do I stop this stealing and block this from happening again. My admin files are hidden, password protected and blocked from robots in the robots.txt file? Any advice would be greatly appreciated. Thanks, Catherine http://childcare.net/catalog/catalog/default.php
♥yesudo Posted August 7, 2005 Posted August 7, 2005 Yep - I just tried and was able to bypass the payment processors. The only way to truely protect is not to allow Immediate downloads. Make the releasing of a download a manual process - and add something to your terms and conditions to this effect. Your online success is Paramount.
landlordaccounting Posted August 7, 2005 Posted August 7, 2005 This seems very serious. I am evaluating various ecommerce solutions for my downloadable products. Do you mean that I will have this big loop hole in my site when I implement osCommerce? People will be able to give bogus info and download it for free? Yikes, Jonathan Hi, In the last month I've had two people order downloads using false information, re: zzzzzzzzzz, 3333333333, etc. in the phone number address area and be able to get their order processed by bypassing both the paypal and my ecommerce gateway. I am stumped as to how their order gets processed and they actually receive the downloads without going through the gateways first. How do I stop this stealing and block this from happening again. My admin files are hidden, password protected and blocked from robots in the robots.txt file? Any advice would be greatly appreciated. Thanks, Catherine http://childcare.net/catalog/catalog/default.php <{POST_SNAPBACK}>
♥yesudo Posted August 7, 2005 Posted August 7, 2005 Have you got the download controller installed ? What is the default status for downloadables ? Your online success is Paramount.
Guest Posted August 7, 2005 Posted August 7, 2005 Yes, I discovered to my horror that when you go to checkout (eg the customer shoots off to the Paypal or Nochex sites to pay), if you at the same time go back into My Account before checkout and check in My orders, the downloads are there. However, not to panic - as stated above, you absolutely must install the Download Controllers contribution, as this allows you greater control over when downloads become available, by playing around with the orders_status tables. As an example, my order status settings are : 1 Awaiting payment 2 Order being prepared 3 Goods despatched 4 Awaiting Paypal authorisation 5 Order cancelled-no payment made 6 Please contact fallshop 7 Updated 50000 Awaiting Nochex authorisation 50001 Nochex Authorised 50003 Download now available 50004 Paypal Authorised And under Downloads in Admin Configuration I have the Downloads Controller Order Status Value set to 50001 i.e. if the order status is anything less than 50001, the download is completely unattainable, irrespective of whether the person has checked out or not. Thus (if, for example, using Nochex APC/Paypal IPN) when the APC/IPN part completes, the order status switches from Awaiting Paypal or Nochex authorisation (downloads unavailable in My Account) to Paypal or Nochex Authorised (downloads available on checkout page and in My Acount). The way it works now is spot on (those paying by cheque/bank transfer sit at order status 1 (awaiting payment) until I get the money, then they are switched to status 50003, and an e-mail sent, and the items become downloadable in My Account) - to be fair to my customers, I don't think any of them realised, but it was a bit of a loophole, mainly of my own construction from not reading the readme.txt file with the Download Controller contrib :)
ozEworks Posted August 7, 2005 Posted August 7, 2005 I could not work out how to do it :) MY order is #2765 (Pending) you can delete it. Catherine, you have a really nice site. You put a lot of work into it. You should do prettier buttons! How did you do the main site index at the bottom your home page - manually?
♥yesudo Posted August 7, 2005 Posted August 7, 2005 Yes, I discovered to my horror that when you go to checkout (eg the customer shoots off to the Paypal or Nochex sites to pay), if you at the same time go back into My Account before checkout and check in My orders, the downloads are there. I achieved getting a free download link a slightly different way. I am not going to publish it here. The knowledge of which just came from experience of the download process - I am Not a hacker. But the downloads controller with the correct use of statuses should combat what I acieved. Your online success is Paramount.
landlordaccounting Posted August 8, 2005 Posted August 8, 2005 I achieved getting a free download link a slightly different way. I am not going to publish it here. The knowledge of which just came from experience of the download process - I am Not a hacker. But the downloads controller with the correct use of statuses should combat what I acieved. <{POST_SNAPBACK}> For the sake of open source improvement, perhapse you should post it. As security issues arise and are made public, they must be fixed. Consider posting it, please. In a related remark, is it possible for someone to directly access the /downloads/download-product-name.pdf (or whatever file it is for download) while circumventing the "my account?" I'm not sure how that directory is chmod'ed, or if another method is used for security. Does someone know how the downloads directory is protected? Thanks!
♥yesudo Posted August 8, 2005 Posted August 8, 2005 I refrained from posting it for no other reason than to keep the information from becoming public and thus putting other similar stores at risk. But I understand what you say so: When you get to the checkout_confirmation.php page during a transaction - in the address bar on your browser change the url from checkout_confirmation.php to checkout_process.php and hit enter. Your online success is Paramount.
♥yesudo Posted August 8, 2005 Posted August 8, 2005 This is usually a problem with the status of downloadables. Try the downloads controller, download by redirect and use a payment processor who can send a post to the site following purchase on which you can test and if successful at that stage set an order to delivered/downloadable. Also rename your downloads directory to something a little less obvious and update the new name in your configure file. Although this doesn't eliminate c/c fraud so you may want to leave that process until you are happy with payment and can set the order to delivered/downloadable manually. Your online success is Paramount.
cpruissen Posted August 8, 2005 Author Posted August 8, 2005 This is usually a problem with the status of downloadables. Try the downloads controller, download by redirect and use a payment processor who can send a post to the site following purchase on which you can test and if successful at that stage set an order to delivered/downloadable. Also rename your downloads directory to something a little less obvious and update the new name in your configure file. Although this doesn't eliminate c/c fraud so you may want to leave that process until you are happy with payment and can set the order to delivered/downloadable manually. <{POST_SNAPBACK}>
landlordaccounting Posted August 8, 2005 Posted August 8, 2005 I got some free manuals at oscommercemanuals.com. This site is powered by oscommerce. I created an account and did everything like I'm supposed to. I got an email and clicked the links to access my free publications. Then I forwarded this email with the links to another computer (that never visited this site, so it would have no cookies and no information about my login). I clicked the link and instantly got the manual in the downloads directory. This seemed like 'downloads' is chmod 777, so one customer can forward a link of their product to a friend. Does the download contribution solve this? I haven't installed anything yet, because if this is as of yet unresolvable, it's a show stopper for me. Thanks, Jonathan
♥yesudo Posted August 8, 2005 Posted August 8, 2005 download by redirect Your online success is Paramount.
Sierrab Posted August 8, 2005 Posted August 8, 2005 1 Awaiting payment2 Order being prepared 3 Goods despatched 4 Awaiting Paypal authorisation 5 Order cancelled-no payment made 6 Please contact fallshop 7 Updated 50000 Awaiting Nochex authorisation 50001 Nochex Authorised 50003 Download now available 50004 Paypal Authorised And under Downloads in Admin Configuration I have the Downloads Controller Order Status Value set to 50001 i.e. if the order status is anything less than 50001, the download is completely unattainable, irrespective of whether the person has checked out or not. Thus (if, for example, using Nochex APC/Paypal IPN) when the APC/IPN part completes, the order status switches from Awaiting Paypal or Nochex authorisation (downloads unavailable in My Account) to Paypal or Nochex Authorised (downloads available on checkout page and in My Acount). Hi Clayts, Well spotted, I just checked my site and found that you can do a workaround as you suggest, so my question is....Do you add all the above to the Order Status table? Not only No's 1 to 7 but also the 5000 numbers? Why the jump from 7 to 5000 all the best Steve
cpruissen Posted August 8, 2005 Author Posted August 8, 2005 Wow! I appreciate all the information and suggestions. I don't want to manually release the downloads as that is counter productive to what I offer and the competition in my marketplace is getting to intense for this. I'll implement the suggestions of changing directories and applying a redirect. Hopefully this will help. People always find a way to get around any program. Enjoy the day, Catherine This is usually a problem with the status of downloadables. Try the downloads controller, download by redirect and use a payment processor who can send a post to the site following purchase on which you can test and if successful at that stage set an order to delivered/downloadable. Also rename your downloads directory to something a little less obvious and update the new name in your configure file. Although this doesn't eliminate c/c fraud so you may want to leave that process until you are happy with payment and can set the order to delivered/downloadable manually. <{POST_SNAPBACK}>
cpruissen Posted August 8, 2005 Author Posted August 8, 2005 Thanks for the compliment. Ya...the buttons aren't the best and when time allows I will update. As for the list at the bottom, that is standard on all pages of my site, which is simply copied over to the footer...although looking at it now I see I need to change the copyright date....so much to do... :blush: . Take care, Catherine I could not work out how to do it :) MY order is #2765 (Pending) you can delete it. Catherine, you have a really nice site. You put a lot of work into it. You should do prettier buttons! How did you do the main site index at the bottom your home page - manually? <{POST_SNAPBACK}>
Guest Posted August 8, 2005 Posted August 8, 2005 Hi Clayts, Well spotted, I just checked my site and found that you can do a workaround as you suggest, so my question is....Do you add all the above to the Order Status table? Not only No's 1 to 7 but also the 5000 numbers? Why the jump from 7 to 5000 all the best Steve <{POST_SNAPBACK}> The 5000x numbers relating to Nochex were pre-set by theNochex APC Module. I think I may have tweaked the PayPal authorised one. The reason there's a jump is to allow you to add other order status (stati ? :P) to your system - eg had to add 8 Lost in post today :lol:
landlordaccounting Posted August 9, 2005 Posted August 9, 2005 <{POST_SNAPBACK}> to clarify. The manuals I got were advertised as free. I didn't "get free" ones by stealing or hacking or something.
landlordaccounting Posted August 9, 2005 Posted August 9, 2005 I got some free manuals at oscommercemanuals.com. This site is powered by oscommerce. I created an account and did everything like I'm supposed to. I got an email and clicked the links to access my free publications. Then I forwarded this email with the links to another computer (that never visited this site, so it would have no cookies and no information about my login). I clicked the link and instantly got the manual in the downloads directory. This seemed like 'downloads' is chmod 777, so one customer can forward a link of their product to a friend. Does the download contribution solve this? I haven't installed anything yet, because if this is as of yet unresolvable, it's a show stopper for me. Thanks, Jonathan <{POST_SNAPBACK}> ...Just to clarify! I added to my cart and checked out the free products. (As advertised on the website.) I didn't download anything that wasn't offered for free. Then I forwarded the email to another pc of mine and clicked the link--viola! the file that I thought I should be protected from a direct link was available and it downloaded. (The same free file I checked out with, no others). I'm concerned why this happened on your site, because I haven't been able to replicate it in my tests. I'm new to osCommerce, why was I able to do what I did on the site? The more I investigate the security of the /download/ directory, the more interesting it gets. I just installed a default instalation of osCommerce. In the /download/ directory is an .htaccess file that seems to be preventing me from even accessing a file that I know resides in there. For instantance, go to: http://test1.landlordaccounting.com/catalo...load/unreal.zip It doesn't allow access without authentication. It says, "The response MUST include a WWW-Authenticate header field (section 14.46) containing a challenge applicable to the requested resource." I wonder if this can be spoofed? I hope not, but I want to truely understand the security before I comit 100% to osCommerce. Thanks for reading, Jonathan
landlordaccounting Posted August 12, 2005 Posted August 12, 2005 no this can not be spoofed <{POST_SNAPBACK}> well that's good to hear. why have so many people worried though that people would steal downloads. it seems here that the default installation of oscommerce protects download links.
Sierrab Posted September 2, 2005 Posted September 2, 2005 No Matter what settings I put in the downloads configuration Order Status table I am able to see hyperlinks in "My Account" if I open another window up ion my browser during the check out process. I seem to have no argument in the code that prevents you downloading before the PayPal IPN is returned. EG although the order is shown as Processing [unfinished / In progress PayPal IPN Order] I can see the download link and when I click on it I get the "Save As" dialog box I don't seem to be able to prevent this happening Steve
brian175 Posted September 9, 2005 Posted September 9, 2005 No Matter what settings I put in the downloads configuration Order Status table I am able to see hyperlinks in "My Account" if I open another window up ion my browser during the check out process. I seem to have no argument in the code that prevents you downloading before the PayPal IPN is returned. EG although the order is shown as Processing [unfinished / In progress PayPal IPN Order] I can see the download link and when I click on it I get the "Save As" dialog box I don't seem to be able to prevent this happening Steve <{POST_SNAPBACK}> The problem may be that the new "order status" for the PayPal IPN module gets added to the end of the orders_status table (mine was orders_status_id = 10). Downloads controller was set to allow any orders_status > 4 and the new 10 is greater than 4 so the downloads will be available. To solve, use phpMyAdmin to change the orders_status_id for "Preparing [PayPal IPN]". Just remember that the id must be unique so you may have to change all of the others first, starting with the highest and work your way down. I made "Preparing [PayPal IPN]" orders_status_id = 1. Don't forget to change all other payment modules that reference or change the "order status".
Sierrab Posted September 10, 2005 Posted September 10, 2005 The problem may be that the new "order status" for the PayPal IPN module gets added to the end of the orders_status table (mine was orders_status_id = 10). Downloads controller was set to allow any orders_status > 4 and the new 10 is greater than 4 so the downloads will be available. To solve, use phpMyAdmin to change the orders_status_id for "Preparing [PayPal IPN]". Just remember that the id must be unique so you may have to change all of the others first, starting with the highest and work your way down. I made "Preparing [PayPal IPN]" orders_status_id = 1. Don't forget to change all other payment modules that reference or change the "order status". <{POST_SNAPBACK}> In the end I gave up on changing Order Status and made a achnge in account history info that prevents any downloads happening until PayPal has returned the IPN. I really think that the code that should take note of the Order Status just got "lost", as I tried everything. Thanks for your input Steve
Steph Mu Bai Posted July 3, 2006 Posted July 3, 2006 In the end I gave up on changing Order Status and made a achnge in account history info that prevents any downloads happening until PayPal has returned the IPN. I really think that the code that should take note of the Order Status just got "lost", as I tried everything. Thanks for your input Steve I'd be very interested to see how you did that ? would you care to share the code ? :) steph
New 
Recommended Posts
Archived
This topic is now archived and is closed to further replies.