checkout_process suspectable to fraud?

[Guest]

in my opinion it's far too easy to fake a payment leaving checkout_process.php as is.

 

if i go through the checkout steps as a regular customer, i can enter fake cc or paypal info... get to checkout confirmation and merely type /checkout_process.php in the address bar and my order appears in the admin panel as a legit order.

 

of course the best way to prevent fraud entirely, is to check and confirm each order, but it would be a better piece of mind if i could safely rename this file to something only i could ever know

 

 

anyone have any suggestions as to how i could rename it?

[kgt]

That's called "security by obscurity." It's like putting your diamonds in the bathroom closet instead of a safe. They're not where one would expect them to be, but they're still not protected.

 

Renaming the file will only save you from the people who don't have the time or inclination to dig deeper, but it does stop many people. As an added step, you should look closer at what's happening between paypal and checkout_process and see if there's anything that you can use to add some more protection.

[Guest]

isn't checkout_process hardcoded into checkout_confirmation? so by renaming it nobody would be able to find it?

 

the problem i see isn't only with paypal, it can occur with credit cards as well, if i'm not mistaken?

[kgt]

Here's the line:

 

if (isset($$payment->form_action_url)) {

$form_action_url = $$payment->form_action_url;

} else {

$form_action_url = tep_href_link(FILENAME_CHECKOUT_PROCESS, '', 'SSL');

}

 

FILENAME_CHECKOUT_PROCESS is defined in includes/filenames.php, so unless you have custom code/contributions that call it explicitly, you only need to change the name of the file, then reflect that in the includes/filenames.php file and in your payment modules (where applicable). The form_action_url is if the payment module has an offsite or custom processing screen.

 

People would be able to find the name of it. It depends on the payment method and your modules how easy it would be. If you accept things like checks or money orders that don't go offsite, place an order and follow the steps to checkout_confirmation.php. View the HTML source through your browser and search for "Confirm Order". On that line you'll see the file the form is posting to, as well as all the shipping and payment information. That's how someone knows where to post with spoofed information.

[Guest]

View the HTML source through your browser and search for "Confirm Order". On that line you'll see the file the form is posting to, as well as all the shipping and payment information.

good point. i didn't think of that

 

is there any way to protect that line from being viewed?

due to the way paypal works and considering the majority of users never return to the site to complete the checkout process anyway... it seems unlikely that verifying the data would be of any use

 

it doesn't really matter if someone enters false info with a check or money order, because i don't think anybody in their right mind sends the goods without getting payment anyways :)

[kgt]

is there any way to protect that line from being viewed?

due to the way paypal works and considering the majority of users never return to the site to complete the checkout process anyway... it seems unlikely that verifying the data would be of any use

 

it doesn't really matter if someone enters false info with a check or money order, because i don't think anybody in their right mind sends the goods without getting payment anyways :)

 

You can still choose check/money order, proceed to checkout_confirmation.php, find the name of the checkout_process file, go back and change to paypal, then still use the method you described in your first post because they now know the checkout_process filename. All that requires quite a bit of knowledge about OSC and a lot more time and effort, but it's not difficult for someone who knows how to do it. You're safe from people who don't have the time/knowledge, but it offers NO security whatsoever for those who do have the time/knowledge.

 

obscurity != security

 

If you don't allow check/money order, someone can still place a small legit order to get the information (though that's pretty unlikely!).

 

I assume paypal passes some kind of confirmation ID back to the checkout, which you could check for. If that ID is not present and the payment type is through paypal, then don't process the order. (As I mentioned, I don't know how paypal does its thing, so I'm just making some assumptions. ;) )

[user99999999]

You should use paypal IPN and a cc gateway that processes via curl instead of browser redirect.