Jump to content
  • Checkout
  • Login
  • Get in touch

osCommerce

The e-commerce.

Security Issue


Guest

Recommended Posts

Posted

I have a store that uses No Chex as a payment method

 

When a customer is at checkout_confirmation.php if they replace it with checkout_process.php the order is then accepted and added to the persons account as paid

 

This is not a problem as I also get an email from NoChex to inform me payment has been made so if I don't then no goods are sent. However, if the products are downloads this could prove a problem

 

Any ideas

 

Russell

 

PS I am not using SSL as payments are taken by no chex

Posted

There many things you could do, couple of them

 

Change the catalog\download.php file where it does the query for the download and add an extra check for the order download status if it's set to delivered. Thus only the administrator can change the order status once the payment is through.

 

Add an extra session variable or use an existing one during checkout that will monitor the sequence of the checkout pages and act accordingly. You could for example logout the visitor automatically or ban an ip when the code detects foul play.

Posted
There many things you could do, couple of them

 

Change the catalog\download.php file where it does the query for the download and add an extra check for the order download status if it's set to delivered. Thus only the administrator can change the order status once the payment is through.

 

Add an extra session variable or use an existing one during checkout that will monitor the sequence of the checkout pages and act accordingly. You could for example logout the visitor automatically or ban an ip when the code detects foul play.

 

Ok thanks for that, the status I had already figured out but is a pain for customers to wait for download authorisation.

 

The No Chex code is:- returnurl', tep_href_link(FILENAME_CHECKOUT_PROCESS, therefore it does it automaticly on the return when payment is made

 

I am not sure how to write another session, banning an ip can be tiresome and so many people are using non static ip addresses that they constantly change

 

I think that all payment modules are made that way but I thought I would point it out so people are aware that this can happen, don't ask me why I tried it LOL

 

Anyway an idea I just thought of is to rename the checkout_process.php and then edit the FILENAME to the new name, I have not tried this as I have only just thought of it, but at least you would be the only person that new the new name, as I don't think people can see the name anywhere.

Posted
The No Chex code is:- returnurl', tep_href_link(FILENAME_CHECKOUT_PROCESS, therefore it does it automaticly on the return when payment is made

then you can automate it once you have a successful response from the gateway to enable it. But again they can change the returned data if the response is simply posted.

 

Anyway an idea I just thought of is to rename the checkout_process.php and then edit the FILENAME to the new name, I have not tried this as I have only just thought of it, but at least you would be the only person that new the new name, as I don't think people can see the name anywhere.

Same here they can examine the form in the checkout_confirmation page and figure out the success response. Unless you exchange data with the gateway by other means.

 

The session is far more effective and it's up to you how to process it.

Posted
then you can automate it once you have a successful response from the gateway to enable it. But again they can change the returned data if the response is simply posted.

Same here they can examine the form in the checkout_confirmation page and figure out the success response. Unless you exchange data with the gateway by other means.

 

The session is far more effective and it's up to you how to process it.

 

Ok I have just checked the source code and you are right, anyone can see it. As said before I have no idea about writing a session and as I feel this is quite a security problem for anyone that does do auotomatic downloads, can anyone look into this who does know how to write such clever stuff? I do not offer downloads so it does not effect me at the moment but I am thinking of it in the future.

 

Many thanks

 

PS I know there are programs or even code that can hide your source code but I have found some of these do not work in Firefox, am I paranoid or what ?

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...