twigster Posted May 2, 2006 Share Posted May 2, 2006 I Have just managed to hack my website and I believe I am not the only person with this problem. When buying an item from my shop I went through the normal checkout procedure. I selected the postage method and then the nochex method for payment. When hitting the nochex credit/debit card payment screen I typed the following in the URL address bar. https://www.mydomain.com/catalog/checkout_process.php This then took me to the order confirmation screen and added the items I ordered to the database without having paid for them. Has this problem been spotted before and is there a fix for it as I can't go live with my shop until this has been fixed. Regards Mike Link to comment Share on other sites More sharing options...
Stickle Posted May 2, 2006 Share Posted May 2, 2006 I Have just managed to hack my website and I believe I am not the only person with this problem. When buying an item from my shop I went through the normal checkout procedure. I selected the postage method and then the nochex method for payment. When hitting the nochex credit/debit card payment screen I typed the following in the URL address bar. https://www.mydomain.com/catalog/checkout_process.php This then took me to the order confirmation screen and added the items I ordered to the database without having paid for them. Has this problem been spotted before and is there a fix for it as I can't go live with my shop until this has been fixed. Regards Mike Have you set permissions correctly on your website? I've just tried to replicate the same error with my example store and dont appear to get any problems at all.... Link to comment Share on other sites More sharing options...
twigster Posted May 2, 2006 Author Share Posted May 2, 2006 Have you set permissions correctly on your website? I've just tried to replicate the same error with my example store and dont appear to get any problems at all.... What permissions do I need to set to get this problem fixed? Many Thanks Link to comment Share on other sites More sharing options...
Stickle Posted May 2, 2006 Share Posted May 2, 2006 Just the basic ones it advises in the installation file...... Rename the catalog/install folder or delete it. Reset the permissions on /catalog/includes/configure.php to 644 (if you are still getting the warning message at the top set configure.php to 444 which is read only - this happens on some servers that have been updated for security reasons). Set the permissions on /catalog/images directory to 777. Reset the permissions on /catalog/admin/includes/configure.php to 644. Create the dir /catalog/admin/backups and set the permissions to 777. Set the permissions on /catalog/admin/images/graphs directory to 777. You need to .htaccess your /catalog/admin directory so that it is password protected. You can use the password manager in your server admin area like cpanel. Link to comment Share on other sites More sharing options...
Guest Posted May 2, 2006 Share Posted May 2, 2006 chmodding your folders isn't going to solve it. i (and many others) have posted about this before and there is no known fix. verify your orders before sending stuff out is all you can do. Link to comment Share on other sites More sharing options...
yanarasod Posted May 2, 2006 Share Posted May 2, 2006 Just the basic ones it advises in the installation file...... Rename the catalog/install folder or delete it. Reset the permissions on /catalog/includes/configure.php to 644 (if you are still getting the warning message at the top set configure.php to 444 which is read only - this happens on some servers that have been updated for security reasons). Set the permissions on /catalog/images directory to 777. Reset the permissions on /catalog/admin/includes/configure.php to 644. Create the dir /catalog/admin/backups and set the permissions to 777. Set the permissions on /catalog/admin/images/graphs directory to 777. You need to .htaccess your /catalog/admin directory so that it is password protected. You can use the password manager in your server admin area like cpanel. same problem with my catalog, thanks very very much for highlighting this, if you have any suggestions please do share. i think it's a big problem Link to comment Share on other sites More sharing options...
user99999999 Posted May 2, 2006 Share Posted May 2, 2006 http://www.oscommerce.com/community/contributions,2280 Try this mod instead, it uses payment notification from nochex instead of browser redirect to confirm the payment similar to paypal IPN. Link to comment Share on other sites More sharing options...
yanarasod Posted May 2, 2006 Share Posted May 2, 2006 i have paypal and check and nochex still without completing payment this remains Link to comment Share on other sites More sharing options...
chooch Posted May 2, 2006 Share Posted May 2, 2006 I just decided to take a look and did the same thing, I got to the checkout confirmation page before typing in 'checkout_process' - the same thing happened. You just get to the checkout confirmation page and don't hit the continue button, you simply go type in the hack and it works. Yes, store owners should log in to their paypal accounts etc before releasing goods to make sure of the payment but there has to be a fix somewhere Upon receiving fixes and advice, too many people don't bother to post updates informing the forum of how it went. Until of course they need help again on other issues and they come running back! Why receive the information you require in good faith for free, only to then have the attitude to ignore the people who gave it to you? There's no harm in saying, 'Thanks, it worked'. On the contrary, it creates a better atmosphere. CHOOCH Link to comment Share on other sites More sharing options...
♥Vger Posted May 15, 2006 Share Posted May 15, 2006 I just checked this out - went as far as checkout_confirmation.php and changed the address to checkout_success.php and did go to the checkout_success.php page. However, no order was recorded in the admin panel, the shopping cart did not get updated, and no order emails got fired off. I haven't been able to replicate the original problem - of getting as far as the Pay Pal payment screen, then changing the url in the address bar and coming back to checkout_success.php with the order having been processed. All that I got was the Shopping Cart page saying that the cart was empty, with no order recorded. I don't know what happens with No-chex as I don't use them. Vger Link to comment Share on other sites More sharing options...
yanarasod Posted May 15, 2006 Share Posted May 15, 2006 i had a quick chat on another forum and some people gave many useful tips but i am new to all this, so am posting the url as you may understand how to stop this problem. http://w3schools.invisionzone.com/index.php?showtopic=4598 Link to comment Share on other sites More sharing options...
dave111 Posted May 15, 2006 Share Posted May 15, 2006 Just check that you actually got the money before you send stuff out :P Link to comment Share on other sites More sharing options...
yanarasod Posted May 15, 2006 Share Posted May 15, 2006 whatever it be, there must be secure solution to this Link to comment Share on other sites More sharing options...
x360modz Posted May 15, 2006 Share Posted May 15, 2006 I tried to replicate the problem and it did record the order so someone please think of how to stop this Link to comment Share on other sites More sharing options...
kgt Posted May 15, 2006 Share Posted May 15, 2006 NoChex probably posts some information to checkout_process.php. (Though OSC probably ignores this since it's not strictly necessary for completing an order). Checking for a "return value" from Nochex in checkout_process.php would verify the customer completed checkout on a third party site. Contributions Discount Coupon Codes Donations Link to comment Share on other sites More sharing options...
videobus Posted May 15, 2006 Share Posted May 15, 2006 A simple solution may be to rename checkout_process.php to a non-meaningful name such as xyzabc.php and then renaming the appropriate filename definitions to match in filename.php. This way only you know the name of the actual checkout process file. Everyone else has to guess. existing: define('FILENAME_CHECKOUT_PROCESS', 'checkout_process.php'); new: define('FILENAME_CHECKOUT_PROCESS', 'xyzabc.php'); If they guess correctly, they deserve to get the item for free :) Link to comment Share on other sites More sharing options...
kgt Posted May 15, 2006 Share Posted May 15, 2006 A simple solution may be to rename checkout_process.php to a non-meaningful name such as xyzabc.php and then renaming the appropriate filename definitions to match in filename.php.This way only you know the name of the actual checkout process file. Everyone else has to guess. existing: define('FILENAME_CHECKOUT_PROCESS', 'checkout_process.php'); new: define('FILENAME_CHECKOUT_PROCESS', 'xyzabc.php'); If they guess correctly, they deserve to get the item for free :) This won't stop any competent frauster. Though most wouldn't bother, they can find out the name of the checkout_process file if they place a real order, and thereafter can place orders under multiple accounts without going through the payment processing. Also, if you have a payment type that doesn't require the customer to leave your site (such as COD) they can proceed as far as the confirmation screen and get the URL that posts to. From that point, they can return to the payment screen, switch to another form of payment, and skip to checkout_process. Contributions Discount Coupon Codes Donations Link to comment Share on other sites More sharing options...
yanarasod Posted May 15, 2006 Share Posted May 15, 2006 the best thing is to have temporary url's that are produced by the database , each time a buyer buys a item there is a new url for the checkout _success.php and the url is auto-deleted after he moves on , or leaves the site. http://w3schools.invisionzone.com/index.php?showtopic=4598 i got these suggestions from another forum, but dont know how to accomplish it, may be someone else can, and put an end to this issue Link to comment Share on other sites More sharing options...
kgt Posted May 15, 2006 Share Posted May 15, 2006 the best thing is to have temporary url's that are produced by the database , each time a buyer buys a item there is a new url for the checkout _success.php and the url is auto-deleted after he moves on , or leaves the site. http://w3schools.invisionzone.com/index.php?showtopic=4598 i got these suggestions from another forum, but dont know how to accomplish it, may be someone else can, and put an end to this issue Payment modules like Nochex (I assume) and Paypal require a static URL for when a customer returns to your site from their checkout. Contributions Discount Coupon Codes Donations Link to comment Share on other sites More sharing options...
chooch Posted May 16, 2006 Share Posted May 16, 2006 I just checked this out - went as far as checkout_confirmation.php and changed the address to checkout_success.php and did go to the checkout_success.php page. However, no order was recorded in the admin panel, the shopping cart did not get updated, and no order emails got fired off. I haven't been able to replicate the original problem - of getting as far as the Pay Pal payment screen, then changing the url in the address bar and coming back to checkout_success.php with the order having been processed. All that I got was the Shopping Cart page saying that the cart was empty, with no order recorded. I don't know what happens with No-chex as I don't use them. Vger Regardless of the payment module selected, the hack is still there. If you add an item to the cart and continue to with checkout, it should take you to the checkout_shipping page. Once shipping is selected and 'continue' selected, it should take you to the checkout_payment page. At this point you can select any method of payment you like (paypal, nochex, authorizenet - anything) Once selected and 'continue' is pressed it should take you to the checkout_confirmation page - at this point all you have to is type in URL/checkout_process.php and the transaction is completed. Even the emails are sent as if a normal real order had taken place. The order is also updated in admin and the method of payment you selected shows up as the method of payment. The only way of distinguishing the fraudulant transaction from a bonafide one, is the fact that the payment module (ie paypal/nochex/authorizenet etc) hasn't sent you an email stating payment was sent! This hack is an absolute disaster for osC-sites that have downloadable items Upon receiving fixes and advice, too many people don't bother to post updates informing the forum of how it went. Until of course they need help again on other issues and they come running back! Why receive the information you require in good faith for free, only to then have the attitude to ignore the people who gave it to you? There's no harm in saying, 'Thanks, it worked'. On the contrary, it creates a better atmosphere. CHOOCH Link to comment Share on other sites More sharing options...
Guest Posted May 16, 2006 Share Posted May 16, 2006 not sure if this helps anyone, but I tried to duplicate this scenario and when I type the checkout_success.php in the browser at the checkout_confirmation.php, I get the shopping cart.php screen with an empty cart and no order generated. I use PayPal WPP , but do not use nochex. Link to comment Share on other sites More sharing options...
chooch Posted May 16, 2006 Share Posted May 16, 2006 Why type checkout_success.php? You need to re-read my previous post and note where and when to type checkout_process.php regardless of the payment module used Upon receiving fixes and advice, too many people don't bother to post updates informing the forum of how it went. Until of course they need help again on other issues and they come running back! Why receive the information you require in good faith for free, only to then have the attitude to ignore the people who gave it to you? There's no harm in saying, 'Thanks, it worked'. On the contrary, it creates a better atmosphere. CHOOCH Link to comment Share on other sites More sharing options...
♥Vger Posted May 16, 2006 Share Posted May 16, 2006 I have rechecked this ,and "Yes" it is a problem - and not just with osCommerce either! Vger Link to comment Share on other sites More sharing options...
luckyhuckster Posted May 16, 2006 Share Posted May 16, 2006 I have rechecked this ,and "Yes" it is a problem - and not just with osCommerce either! Vger I just successfully "swiped" one of my downloadable products this way! What can be done - is there a particular Paypal mod that will prevent this? Link to comment Share on other sites More sharing options...
boxtel Posted May 16, 2006 Share Posted May 16, 2006 Why type checkout_success.php? You need to re-read my previous post and note where and when to type checkout_process.php regardless of the payment module used is it not possible to set a transaction code in a transaction table at the top of confirmation when confirm is selected and have checkout_process check for that entry and remove it if present and refuse execution if it is not ? Treasurer MFC Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.