Jump to content
dev osCommerce
Forum
  • Checkout
  • Login
  • Contact Us
  • Get in touch

osCommerce

The e-commerce.

New Demo
Our Partners

Checking Out Without Paying

cpruissen

By cpruissen
in General Support

Recommended Posts

cpruissen

cpruissen

Posted
Posted

Hi,

 

In the last month I've had two people order downloads using false information, re: zzzzzzzzzz, 3333333333, etc. in the phone number address area and be able to get their order processed by bypassing both the paypal and my ecommerce gateway. I am stumped as to how their order gets processed and they actually receive the downloads without going through the gateways first.

 

How do I stop this stealing and block this from happening again. My admin files are hidden, password protected and blocked from robots in the robots.txt file?

 

Any advice would be greatly appreciated.

 

Thanks,

 

Catherine

http://childcare.net/catalog/catalog/default.php

Link to comment
Share on other sites
yesudo

♥yesudo

Posted
Posted

Yep - I just tried and was able to bypass the payment processors.

 

The only way to truely protect is not to allow Immediate downloads.

 

Make the releasing of a download a manual process - and add something to your terms and conditions to this effect.

Your online success is Paramount.

Link to comment
Share on other sites
landlordaccounting

landlordaccounting

Posted
Posted

This seems very serious. I am evaluating various ecommerce solutions for my downloadable products. Do you mean that I will have this big loop hole in my site when I implement osCommerce? People will be able to give bogus info and download it for free?

 

Yikes,

 

Jonathan

 

 

Hi,

 

In the last month I've had two people order downloads using false information, re: zzzzzzzzzz, 3333333333, etc. in the phone number address area and be able to get their order processed by bypassing both the paypal and my ecommerce gateway.  I am stumped as to how their order gets processed and they actually receive the downloads without going through the gateways first.

 

How do I stop this stealing and block this from happening again.  My admin files are hidden, password protected and blocked from robots in the robots.txt file? 

 

Any advice would be greatly appreciated.

 

Thanks,

 

Catherine

http://childcare.net/catalog/catalog/default.php

Link to comment
Share on other sites
Guest

Guest

Posted
Posted

Yes, I discovered to my horror that when you go to checkout (eg the customer shoots off to the Paypal or Nochex sites to pay), if you at the same time go back into My Account before checkout and check in My orders, the downloads are there.

 

However, not to panic - as stated above, you absolutely must install the Download Controllers contribution, as this allows you greater control over when downloads become available, by playing around with the orders_status tables. As an example, my order status settings are :

 

1 Awaiting payment

2 Order being prepared

3 Goods despatched

4 Awaiting Paypal authorisation

5 Order cancelled-no payment made

6 Please contact fallshop

7 Updated

50000 Awaiting Nochex authorisation

50001 Nochex Authorised

50003 Download now available

50004 Paypal Authorised

 

And under Downloads in Admin Configuration I have the Downloads Controller Order Status Value set to 50001

 

i.e. if the order status is anything less than 50001, the download is completely unattainable, irrespective of whether the person has checked out or not.

 

Thus (if, for example, using Nochex APC/Paypal IPN) when the APC/IPN part completes, the order status switches from Awaiting Paypal or Nochex authorisation (downloads unavailable in My Account) to Paypal or Nochex Authorised (downloads available on checkout page and in My Acount).

 

The way it works now is spot on (those paying by cheque/bank transfer sit at order status 1 (awaiting payment) until I get the money, then they are switched to status 50003, and an e-mail sent, and the items become downloadable in My Account) - to be fair to my customers, I don't think any of them realised, but it was a bit of a loophole, mainly of my own construction from not reading the readme.txt file with the Download Controller contrib :)

Link to comment
Share on other sites
ozEworks

ozEworks

Posted
Posted

I could not work out how to do it :) MY order is #2765 (Pending) you can delete it.

 

Catherine, you have a really nice site. You put a lot of work into it. You should do prettier buttons! How did you do the main site index at the bottom your home page - manually?

Link to comment
Share on other sites
yesudo

♥yesudo

Posted
Posted
Yes, I discovered to my horror that when you go to checkout (eg the customer shoots off to the Paypal or Nochex sites to pay), if you at the same time go back into My Account before checkout and check in My orders, the downloads are there.

 

I achieved getting a free download link a slightly different way. I am not going to publish it here. The knowledge of which just came from experience of the download process - I am Not a hacker.

 

But the downloads controller with the correct use of statuses should combat what I acieved.

Your online success is Paramount.

Link to comment
Share on other sites
landlordaccounting

landlordaccounting

Posted
Posted
I achieved getting a free download link a slightly different way. I am not going to publish it here. The knowledge of which just came from experience of the download process - I am Not a hacker.

 

But the downloads controller with the correct use of statuses should combat what I acieved.

 

For the sake of open source improvement, perhapse you should post it. As security issues arise and are made public, they must be fixed. Consider posting it, please.

 

In a related remark, is it possible for someone to directly access the /downloads/download-product-name.pdf (or whatever file it is for download) while circumventing the "my account?"

 

I'm not sure how that directory is chmod'ed, or if another method is used for security. Does someone know how the downloads directory is protected?

 

Thanks!

Link to comment
Share on other sites
yesudo

♥yesudo

Posted
Posted

I refrained from posting it for no other reason than to keep the information from becoming public and thus putting other similar stores at risk.

 

But I understand what you say so:

 

When you get to the checkout_confirmation.php page during a transaction - in the address bar on your browser change the url from checkout_confirmation.php to checkout_process.php and hit enter.

Your online success is Paramount.

Link to comment
Share on other sites
yesudo

♥yesudo

Posted
Posted

This is usually a problem with the status of downloadables.

 

Try the downloads controller, download by redirect and use a payment processor who can send a post to the site following purchase on which you can test and if successful at that stage set an order to delivered/downloadable. Also rename your downloads directory to something a little less obvious and update the new name in your configure file.

 

Although this doesn't eliminate c/c fraud so you may want to leave that process until you are happy with payment and can set the order to delivered/downloadable manually.

Your online success is Paramount.

Link to comment
Share on other sites
cpruissen

cpruissen

Posted
  • Author
Posted
This is usually a problem with the status of downloadables.

 

Try the downloads controller, download by redirect and use a payment processor who can send a post to the site following purchase on which you can test and if successful at that stage set an order to delivered/downloadable. Also rename your downloads directory to something a little less obvious and update the new name in your configure file.

 

Although this doesn't eliminate c/c fraud so you may want to leave that process until you are happy with payment and can set the order to delivered/downloadable manually.

Link to comment
Share on other sites
landlordaccounting

landlordaccounting

Posted
Posted

I got some free manuals at oscommercemanuals.com.

 

This site is powered by oscommerce. I created an account and did everything like I'm supposed to. I got an email and clicked the links to access my free publications. Then I forwarded this email with the links to another computer (that never visited this site, so it would have no cookies and no information about my login).

 

I clicked the link and instantly got the manual in the downloads directory. This seemed like 'downloads' is chmod 777, so one customer can forward a link of their product to a friend.

 

Does the download contribution solve this? I haven't installed anything yet, because if this is as of yet unresolvable, it's a show stopper for me.

 

Thanks,

 

Jonathan

Link to comment
Share on other sites
Sierrab

Sierrab

Posted
Posted
1  Awaiting payment

2  Order being prepared

3  Goods despatched

4  Awaiting Paypal authorisation

5  Order cancelled-no payment made

6  Please contact fallshop

7  Updated

50000  Awaiting Nochex authorisation

50001  Nochex Authorised

50003  Download now available

50004  Paypal Authorised

 

And under Downloads in Admin Configuration I have the Downloads Controller Order Status Value set to 50001

 

i.e. if the order status is anything less than 50001, the download is completely unattainable, irrespective of whether the person has checked out or not.

 

Thus (if, for example, using Nochex APC/Paypal IPN) when the APC/IPN part completes, the order status switches from Awaiting Paypal or Nochex authorisation (downloads unavailable in My Account) to Paypal or Nochex Authorised (downloads available on checkout page and in My Acount).

 

Hi Clayts,

 

Well spotted, I just checked my site and found that you can do a workaround as you suggest, so my question is....Do you add all the above to the Order Status table? Not only No's 1 to 7 but also the 5000 numbers?

 

Why the jump from 7 to 5000

 

all the best

 

Steve

Link to comment
Share on other sites
cpruissen

cpruissen

Posted
  • Author
Posted

Wow! I appreciate all the information and suggestions. I don't want to manually release the downloads as that is counter productive to what I offer and the competition in my marketplace is getting to intense for this.

 

I'll implement the suggestions of changing directories and applying a redirect. Hopefully this will help. People always find a way to get around any program.

 

Enjoy the day,

 

Catherine

 

 

This is usually a problem with the status of downloadables.

 

Try the downloads controller, download by redirect and use a payment processor who can send a post to the site following purchase on which you can test and if successful at that stage set an order to delivered/downloadable. Also rename your downloads directory to something a little less obvious and update the new name in your configure file.

 

Although this doesn't eliminate c/c fraud so you may want to leave that process until you are happy with payment and can set the order to delivered/downloadable manually.

Link to comment
Share on other sites
cpruissen

cpruissen

Posted
  • Author
Posted

Thanks for the compliment. Ya...the buttons aren't the best and when time allows I will update.

 

As for the list at the bottom, that is standard on all pages of my site, which is simply copied over to the footer...although looking at it now I see I need to change the copyright date....so much to do... :blush: .

 

Take care,

 

Catherine

 

I could not work out how to do it :)  MY order is #2765 (Pending) you can delete it. 

 

Catherine, you have a really nice site.  You put a lot of work into it.  You should do prettier buttons!  How did you do the main site index at the bottom your home page - manually?

Link to comment
Share on other sites
Guest

Guest

Posted
Posted
Hi Clayts,

 

Well spotted, I just checked my site and found that you can do a workaround as you suggest, so my question is....Do you add all the above to the Order Status table? Not only No's 1 to 7 but also the 5000 numbers?

 

Why the jump from 7 to 5000

 

all the best

 

Steve

 

The 5000x numbers relating to Nochex were pre-set by theNochex APC Module. I think I may have tweaked the PayPal authorised one. The reason there's a jump is to allow you to add other order status (stati ? :P) to your system - eg had to add 8 Lost in post today :lol:

Link to comment
Share on other sites
landlordaccounting

landlordaccounting

Posted
Posted
I got some free manuals at oscommercemanuals.com.

 

This site is powered by oscommerce. I created an account and did everything like I'm supposed to. I got an email and clicked the links to access my free publications. Then I forwarded this email with the links to another computer (that never visited this site, so it would have no cookies and no information about my login).

 

I clicked the link and instantly got the manual in the downloads directory. This seemed like 'downloads' is chmod 777, so one customer can forward a link of their product to a friend.

 

Does the download contribution solve this? I haven't installed anything yet, because if this is as of yet unresolvable, it's a show stopper for me.

 

Thanks,

 

Jonathan

 

...Just to clarify!

 

I added to my cart and checked out the free products. (As advertised on the website.) I didn't download anything that wasn't offered for free. Then I forwarded the email to another pc of mine and clicked the link--viola! the file that I thought I should be protected from a direct link was available and it downloaded. (The same free file I checked out with, no others). I'm concerned why this happened on your site, because I haven't been able to replicate it in my tests. I'm new to osCommerce, why was I able to do what I did on the site?

 

The more I investigate the security of the /download/ directory, the more interesting it gets. I just installed a default instalation of osCommerce. In the /download/ directory is an .htaccess file that seems to be preventing me from even accessing a file that I know resides in there. For instantance, go to: http://test1.landlordaccounting.com/catalo...load/unreal.zip

 

It doesn't allow access without authentication. It says, "The response MUST include a WWW-Authenticate header field (section 14.46) containing a challenge applicable to the requested resource." I wonder if this can be spoofed? I hope not, but I want to truely understand the security before I comit 100% to osCommerce.

 

Thanks for reading,

 

Jonathan

Link to comment
Share on other sites
  • 3 weeks later...
Sierrab

Sierrab

Posted
Posted

No Matter what settings I put in the downloads configuration Order Status table I am able to see hyperlinks in "My Account" if I open another window up ion my browser during the check out process.

 

I seem to have no argument in the code that prevents you downloading before the PayPal IPN is returned.

 

EG although the order is shown as

Processing [unfinished / In progress PayPal IPN Order]

 

I can see the download link and when I click on it I get the "Save As" dialog box

 

I don't seem to be able to prevent this happening

 

Steve

Link to comment
Share on other sites
brian175

brian175

Posted
Posted
No Matter what settings I put in the downloads configuration Order Status table I am able to see hyperlinks in "My Account" if I open another window up ion my browser during the check out process.

 

I seem to have no argument in the code that prevents you downloading before the PayPal IPN is returned.

 

EG although the order is shown as

Processing  [unfinished / In progress PayPal IPN Order]

 

I can see the download link and when I click on it I get the "Save As" dialog box

 

I don't seem to be able to prevent this happening

 

Steve

 

The problem may be that the new "order status" for the PayPal IPN module gets added to the end of the orders_status table (mine was orders_status_id = 10). Downloads controller was set to allow any orders_status > 4 and the new 10 is greater than 4 so the downloads will be available.

 

To solve, use phpMyAdmin to change the orders_status_id for "Preparing [PayPal IPN]". Just remember that the id must be unique so you may have to change all of the others first, starting with the highest and work your way down. I made "Preparing [PayPal IPN]" orders_status_id = 1.

 

Don't forget to change all other payment modules that reference or change the "order status".

Link to comment
Share on other sites
Sierrab

Sierrab

Posted
Posted
The problem may be that the new "order status" for the PayPal IPN module gets added to the end of the orders_status table (mine was orders_status_id = 10).  Downloads controller was set to allow any orders_status > 4 and the new 10 is greater than 4 so the downloads will be available.

 

To solve, use phpMyAdmin to change the orders_status_id for "Preparing [PayPal IPN]".  Just remember that the id must be unique so you may have to change all of the others first, starting with the highest and work your way down.  I made "Preparing [PayPal IPN]" orders_status_id = 1.

 

Don't forget to change all other payment modules that reference or change the "order status".

In the end I gave up on changing Order Status and made a achnge in account history info that prevents any downloads happening until PayPal has returned the IPN.

 

I really think that the code that should take note of the Order Status just got "lost", as I tried everything.

 

Thanks for your input

 

Steve

Link to comment
Share on other sites
  • 9 months later...
Steph Mu Bai

Steph Mu Bai

Posted
Posted
In the end I gave up on changing Order Status and made a achnge in account history info that prevents any downloads happening until PayPal has returned the IPN.

 

I really think that the code that should take note of the Order Status just got "lost", as I tried everything.

 

Thanks for your input

 

Steve

 

 

I'd be very interested to see how you did that ? would you care to share the code ? :)

 

steph

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

Go to topic listing
×
×
  • Create New...