Guest Posted March 30, 2006 Posted March 30, 2006 Hi everyone, can someone please offer some advice on this as its a real security worry... While testing my store tonight, i have discovered that if i login as a customer, add a couple of (downloadable) products to my cart, click through checkout, get to the confirmation page and the type confirmation_process.php in the address bar, i arrive at confirmation_success.php. Products are there to download, my shopping cart is empty. It appears i can jump the nochex payment screen..... Any ideas on how i can fix this asap? My store is due to go live very soon..... Thanks in Advance.....
Guest Posted March 30, 2006 Posted March 30, 2006 Can anyone offer any help with this? any suggestions? i have tried searching the forum ("payments" "checkout_process") and couldnt find anything to help.... :(
Guest Posted March 30, 2006 Posted March 30, 2006 Hi everyone, can someone please offer some advice on this as its a real security worry... While testing my store tonight, i have discovered that if i login as a customer, add a couple of (downloadable) products to my cart, click through checkout, get to the confirmation page and the type checkout_process.php in the address bar, i arrive at checkout_success.php. Products are there to download, my shopping cart is empty. It appears i can jump the nochex payment screen..... Any ideas on how i can fix this asap? My store is due to go live very soon..... Thanks in Advance.....
Guest Posted March 30, 2006 Posted March 30, 2006 Hi everyone, can someone please offer some advice on this as its a real security worry... While testing my store tonight, i have discovered that if i login as a customer, add a couple of (downloadable) products to my cart, click through checkout, get to the confirmation page and the type checkout_process.php in the address bar, i arrive at checkout_success.php. Products are there to download, my shopping cart is empty. It appears i can jump the nochex payment screen..... Any ideas on how i can fix this asap? My store is due to go live very soon..... Thanks in Advance..... My apologies the php files i referred to in my initial post was incorrect. i have posted again, highlighting in bold the php files that im having problems with..... any help appreciated...... Darren
dynamoeffects Posted March 30, 2006 Posted March 30, 2006 Please stop spamming the board with this. Yes, we know it's important - but you're not helping by doing this. I just confirmed that this exploit works. Very surprising that it's been around this long. Please use the forums for support! I am happy to help you here, but I am unable to offer free technical support over instant messenger or e-mail.
dynamoeffects Posted March 30, 2006 Posted March 30, 2006 On second look, the order shows up fine in the admin. Are you sure it's not charging your card? I only have COD enabled, so I can really test that aspect of it. And actually, now that I really look at it, all of the order information is stored in session variables, so when you just go to checkout_process, it should still charge your card fine. With nochex, does it send the visitor to their site then back to yours? Please use the forums for support! I am happy to help you here, but I am unable to offer free technical support over instant messenger or e-mail.
Guest Posted March 30, 2006 Posted March 30, 2006 First up, apologies for "spamming" the board - it wasnt intentional; Im very tired, made mistakes in my original post and have no option to edit, so my apologies.... As far as session variables etc are concerned, i have no experience of this what so ever, so it goes straight over my head - im still pretty new! In answer to your question, i completely bypass the Nochex screen. No request to enter payment details, it just jumps straight to checkout_success.php and allows me to download. Just to clarify where we're at, have you tested this and experienced the same problem?? Your second bug report comment states; " Nevermind, after a deeper inspection, there is no exploit. " But the forum posts above suggest you have found the exploit. Thanks for your time. Darren
dynamoeffects Posted March 30, 2006 Posted March 30, 2006 It's not an OSC security flaw because the only way that you're able to get past checkout_process without paying is if your payment module doesn't report any errors. You should be looking at the nochex payment module. Please use the forums for support! I am happy to help you here, but I am unable to offer free technical support over instant messenger or e-mail.
Guest Posted March 30, 2006 Posted March 30, 2006 Thanks for the reply i will take a closer look at the Nochex module.... In the meantime, im not sure if its me not explaining it properly or it being misunderstood..... but i dont have to enter any payment details at all, period. I completely bypass the screens... once in my shopping cart i work my way through the checkout path, Delivery Info -> Payment Info -> Checout Confirmation. When i get here (and having not entered any credit card details or gone anywhere near Nochex) i can simply replace the checkout_confirmation.php with checkout_process.php in the URL, and it will jump to the finshed screen, checkout_success.php..... with all the products to download.... I think i understand what your saying about the nochex module, IF its working in the background, while im still at the earlier stages of checkout....personally, i dont know the answer to this question as i dont know enough about OSC / PHP. Looking at it from a slightly different angle, wouldnt it just be easier to write into the code a rule to tell the checout_process page to only open from a specific source? For example only open if its called from the page before it in the checkout path? or perhaps a way of telling the page how to recognise its being input as a URL in a broswer and not to allow it? Ive got a feelin we already use something similar to the first sugestion for a couple of pages.... i.e. If you sre not logged on and click 'my account' from the nav bar, if takes you back to the login/create account page. any ideas?.... Im no php coder (so laugh by all means! :D ) , just trying to problem solve....... let me know what you think......
logiczero Posted March 30, 2006 Posted March 30, 2006 any ideas?.... Look at line 60 of checkout_confirmation.php. if (is_array($payment_modules->modules)) { $payment_modules->pre_confirmation_check(); } It's doing a check to make sure your payment information is squared away before it will load the confirmation page. Open up catalog/includes/modules/payment/nochex.php and search for 'function pre_confirmation_check'. Compare the code in that function to the code in the same function in a file like catalog/includes/modules/payment/cc.php... It's pretty obvious that the NoChex module is not doing any validation for you, and that's why you're able to skip ahead in the checkout process. I don't know anything about NoChex. But I can tell you that "return false;" is not helping you. If you have a relationship with NoChex, perhaps somebody on that end can help you; I'm sure you wouldn't be their first osCommerce customer.
dynamoeffects Posted March 30, 2006 Posted March 30, 2006 Thanks for the reply i will take a closer look at the Nochex module.... In the meantime, im not sure if its me not explaining it properly or it being misunderstood..... but i dont have to enter any payment details at all, period. Which payment module is selected? You wouldn't be able to get to the confirmation page without selecting a payment module, so you either have Cash on Delivery enabled and checked, or the Nochex module is non-functional. Please use the forums for support! I am happy to help you here, but I am unable to offer free technical support over instant messenger or e-mail.
logiczero Posted March 30, 2006 Posted March 30, 2006 Which payment module is selected? Looks to me like if there's only one payment option available, then it just chooses that one by default. checkout_confirmation.php, line 55 //Is this ever true if there's only one payment module? if ( ( is_array($payment_modules->modules) && (sizeof($payment_modules->modules) > 1) && !is_object($$payment) ) || (is_object($$payment) && ($$payment->enabled == false)) ) { tep_redirect(tep_href_link(FILENAME_CHECKOUT_PAYMENT, 'error_message=' . urlencode(ERROR_NO_PAYMENT_MODULE_SELECTED), 'SSL')); } It chooses NoChex, because that's all there is, and NoChex doesn't validate that the user entered any payment info, so the code in checkout_confirmation.php continues merrily along...
Guest Posted March 30, 2006 Posted March 30, 2006 Which payment module is selected? You wouldn't be able to get to the confirmation page without selecting a payment module, so you either have Cash on Delivery enabled and checked, or the Nochex module is non-functional. Unless you're handling the payment gateways with some special and custom way (like using IPN for instance) you can bypass every one of them. Just download the default osc and check the default payment modules.
Flyer5 Posted March 30, 2006 Posted March 30, 2006 Hi I have a site with nochex installed if i follow your earlier mail and replace the url at checkout_confirmation with checkout_process.php i am forced to log back in. I am using the nochex apc responder. Your exploit doesnt work on my site. F5
Guest Posted March 30, 2006 Posted March 30, 2006 Hi I have a site with nochex installed if i follow your earlier mail and replace the url at checkout_confirmation with checkout_process.php i am forced to log back in. I am using the nochex apc responder. Your exploit doesnt work on my site. F5 you have to preserve the session id on the address bar of your browser, otherwise you lose the cart and the login info. But that will happen for any page you try to go to like shopping_cart.php. If you preserve the session you can bypass it.
Guest Posted March 30, 2006 Posted March 30, 2006 btw its not my exploit, it's been discussed several times in the past. http://www.oscommerce.com/forums/index.php?sho...=0entry440735 The problem exists mainly with downloads, (because you will check the funds before shipping physical items) but there are workarounds posted plus the download controller to eliminate the side effects.
Guest Posted March 30, 2006 Posted March 30, 2006 Thanks for all the input so far everyone, im beginning to understand a bit more about whats goin on now.. Mark, you mention workarounds posted, any idea where buddy? or what i should search for? i'll keep searching in the meantime.. ive also read the linked posted above and can see they are touching on the subject but dont really see or understand a solution.. if im missing something, id be really greatful if you can point it out for me... Any further ideas or subjections welcome.. Thanks again, Darren
Guest Posted March 30, 2006 Posted March 30, 2006 Apologies for the spelling too, im still really tired!.. :wacko: If it helps i can post my nochex module page up here?
Guest Posted March 31, 2006 Posted March 31, 2006 this is one of the posts I mentioned earlier about it. http://www.oscommerce.com/forums/index.php?showtopic=195731 but you want to find something automatic it's a more complicated and maybe you need to search the forum for curl or some other ssl type script that verifies the gateway interaction rather searching for downloads.
Guest Posted March 31, 2006 Posted March 31, 2006 Thanks for this tip Mark, its very helpful and sheds more light. I dont have any idea when it come to curl, how does this script work? What page and where would i place it? Sorry if these questions are a bit newbie...
Guest Posted March 31, 2006 Posted March 31, 2006 What about some code that tells the pre confirmation check (which just reads false in the module) to check to see if the page has been called from the final page of the nochex transaction? Is this what you refer to when you mention a script that verifys the gateway interaction? Thanks...
Guest Posted March 31, 2006 Posted March 31, 2006 Hi everyone, This has been suggested, can anyone be so kind as to expand on it for me? ------------------------------------------------------------------------------------------------------------------------ Hi Darren, are your downloadable items hard coded into the success page ? or are they shown via php if using php to show the downloads, you could add a simply query to check.. for example on the success page process could be if <&session ID> = <$session_ID_in_db> & payment_status=completed, & product=active echo download links if not exit show nothing.. above is not php its just to show how it could check before showing the links. It sounds like there is no check on the success page to see if its been paid or not before showing downloads (very unsecure etc). It should check db to see if its ok to show the download links. ------------------------------------------------------------------------------------- Thanks in advance! :thumbsup: Darren
Guest Posted April 1, 2006 Posted April 1, 2006 does anyone have any suggestions on how the above could be changed so it works? any ideas? Thanks in advance.... Darren
New 
Recommended Posts
Archived
This topic is now archived and is closed to further replies.