Jump to content
  • Checkout
  • Login
  • Get in touch

osCommerce

The e-commerce.

osCommece Credit Card payment module loophole?


zhexiang

Recommended Posts

Help, it's very urent & Someone has exploit my store and i think it's a loophole in osCommerce!!!

 

Someone by the name Ali Babba from US just shop at my store and bought lots of digital products.

 

His payment method is credit card, but when i check with admin, i can't find his credit crad number, nor his credit card expiry date.

 

Is it possible to skip the credit card number during checkout? This credit card payment module is default with osCommerce?

 

I don't think it's possible for me to claim back US$350+ from this fellow. None of his personal detail is real.

 

Please advise on osCommerce credit card payment module, why buyer can skip entering the credit card number, any possiblity to avoid using it!

 

Here's the mail i receive when he made the order (Note: some detail i deleted to protect my own privacy)

 

 

Date: 7/29/2006 15:14:14 -0500

From: "Zhe Xiang"

To:

Subject: Order Process All headers

 

 

--------------------------------------------------------------------------------

Low Price Web Templates

------------------------------------------------------

Order Number: 7

Detailed Invoice:

Date Ordered: Saturday 29 July, 2006

 

there is an os commerce exploit you need to fix.

 

Products

------------------------------------------------------

1 x Info-Products Marketing Secrets Exposed () = $25.95

Resell rights Free

1 x On-Screen Banner Rotator () = $15.00

Resell rights - None -

------------------------------------------------------

Sub-Total: $40.95

Total: $40.95

 

Billing Address

------------------------------------------------------

ali babba

123 sesame street

chicago, 60652

United States

 

Payment Method

------------------------------------------------------

Credit Card

Link to comment
Share on other sites

First thing I would do is disable the credit card module for OsCommerce and then do a full search for any known bugs with this module via google.

 

Second, I would not ship the goods to Ali Babba and then you dont need to reclaim the money back!

 

Was it this person that actually put the "there is an exploit in oscommerce that you need to fix" which appears in that email. If so, it appears they were just trying to be helpful rather than trying to cause you problems (unless they did it repeatedly).

 

I noticed your order number for this email was 7, so I would imagine this is a new shop. What payment processor did you use or are you just using the standard cc module? How are you using that module to gain payment (I assume you have a merchant account)?

 

Most people use processors like Worldpay, ProtX, Paypal, etc.

 

Sorry if that did not explain the problem you have, but I am just a little worried that your using a method to get money that is not actually feasible and maybe you need to look at getting a payment processor like the ones mentioned above.

 

Cheers

 

Steve

My Toolbox: Crimson Editor, Adobe Photoshop CS2.0, Expression Web, Macromedia Suite 8.0, Cinema 4D, Nvu.

Link to comment
Share on other sites

"there is an exploit in oscommerce that you need to fix" is actually generated by osCommerce when the person done the order.

 

"your order number for this email was 7, so ", yes, it's a new shop, selling templates, ebooks, software, which keeps me wondering if osCommerce is the right thing for selling these kind of digital products.

 

"are you using that module to gain payment (I assume you have a merchant account)?"

No, it's hard to open a 3rd-part merchant account, especially in m'sia that practising strict banking policy.

 

 

First thing I would do is disable the credit card module for OsCommerce and then do a full search for any known bugs with this module via google.

 

Second, I would not ship the goods to Ali Babba and then you dont need to reclaim the money back!

 

Was it this person that actually put the "there is an exploit in oscommerce that you need to fix" which appears in that email. If so, it appears they were just trying to be helpful rather than trying to cause you problems (unless they did it repeatedly).

 

I noticed your order number for this email was 7, so I would imagine this is a new shop. What payment processor did you use or are you just using the standard cc module? How are you using that module to gain payment (I assume you have a merchant account)?

 

Most people use processors like Worldpay, ProtX, Paypal, etc.

 

Sorry if that did not explain the problem you have, but I am just a little worried that your using a method to get money that is not actually feasible and maybe you need to look at getting a payment processor like the ones mentioned above.

 

Cheers

 

Steve

Link to comment
Share on other sites

"there is an exploit in oscommerce that you need to fix" is actually generated by osCommerce when the person done the order.

 

"your order number for this email was 7, so ", yes, it's a new shop, selling templates, ebooks, software, which keeps me wondering if osCommerce is the right thing for selling these kind of digital products.

 

"are you using that module to gain payment (I assume you have a merchant account)?"

No, it's hard to open a 3rd-part merchant account, especially in m'sia that practising strict banking policy.

 

 

If you do not have a merchant account how are planning on processing your credit card payments??

The Knowledge Base is a wonderful thing.

Do you have a problem? Have you checked out Common Problems?

There are many very useful osC Contributions

Are you having trouble with a installed contribution? Have you checked out the support thread found Here

BACKUP BACKUP BACKUP!!! You did backup, right??

Link to comment
Share on other sites

I would be interested if someones finds the loophole, I have a few clients that use a VT to process their payments via the standard osc cc module--but even if someone bypasses it it doesnt matter since no money is ever charged--however it could get annoying--

 

I tried to replicate it on a test site but cant, so I would love to know, curiosity is killing this cat!

"I must admit that I personally measure success in terms of the contributions an individual makes to her or his fellow human beings."

---Margaret Mead---

 

"The answer is never the answer. What's really interesting is the mystery. If you seek the mystery instead of the answer, you'll always be seeking. I've never seen anybody really find the answer -- they think they have, so they stop thinking. But the job is to seek mystery, evoke mystery, plant a garden in which strange plants grow and mysteries bloom. The need for mystery is greater than the need for an answer.

--Ken Kesey"

Link to comment
Share on other sites

If you do not have a merchant account how are planning on processing your credit card payments??

 

 

Well, now I have registered myself with MoneyBookers.com, but I wonder how secure is it with osCommerce.

 

I will try to find other 3rd party merchant account for me while i try to open US bank account for Paypal outside M'sia...

 

Any recommendation will be useful...

Link to comment
Share on other sites

Now, how do you prevent people from changing the url to checkout_success when they haven't make any payment?

 

I have lots of download product and don't want them to download any if they fail to make proper and honest payment...

Link to comment
Share on other sites

maybe rename the page?

and set the proper filenames in the proper places

 

although, this isnt a real fix

"I must admit that I personally measure success in terms of the contributions an individual makes to her or his fellow human beings."

---Margaret Mead---

 

"The answer is never the answer. What's really interesting is the mystery. If you seek the mystery instead of the answer, you'll always be seeking. I've never seen anybody really find the answer -- they think they have, so they stop thinking. But the job is to seek mystery, evoke mystery, plant a garden in which strange plants grow and mysteries bloom. The need for mystery is greater than the need for an answer.

--Ken Kesey"

Link to comment
Share on other sites

Now, how do you prevent people from changing the url to checkout_success when they haven't make any payment?

 

I have lots of download product and don't want them to download any if they fail to make proper and honest payment...

 

You change the way the checkout process operates. The weakness is with the final form that is submitted to the gateway instead of going to the store itself. Because you do not get a chance to validate the form fields. Once you do that even COD cannot be bypassed without the fields validation.

http://www.oscommerce.com/forums/index.php?s=&...st&p=859644

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...