zhexiang Posted July 31, 2006 Share Posted July 31, 2006 Help, it's very urent & Someone has exploit my store and i think it's a loophole in osCommerce!!! Someone by the name Ali Babba from US just shop at my store and bought lots of digital products. His payment method is credit card, but when i check with admin, i can't find his credit crad number, nor his credit card expiry date. Is it possible to skip the credit card number during checkout? This credit card payment module is default with osCommerce? I don't think it's possible for me to claim back US$350+ from this fellow. None of his personal detail is real. Please advise on osCommerce credit card payment module, why buyer can skip entering the credit card number, any possiblity to avoid using it! Here's the mail i receive when he made the order (Note: some detail i deleted to protect my own privacy) Date: 7/29/2006 15:14:14 -0500 From: "Zhe Xiang" To: Subject: Order Process All headers -------------------------------------------------------------------------------- Low Price Web Templates ------------------------------------------------------ Order Number: 7 Detailed Invoice: Date Ordered: Saturday 29 July, 2006 there is an os commerce exploit you need to fix. Products ------------------------------------------------------ 1 x Info-Products Marketing Secrets Exposed () = $25.95 Resell rights Free 1 x On-Screen Banner Rotator () = $15.00 Resell rights - None - ------------------------------------------------------ Sub-Total: $40.95 Total: $40.95 Billing Address ------------------------------------------------------ ali babba 123 sesame street chicago, 60652 United States Payment Method ------------------------------------------------------ Credit Card Link to comment Share on other sites More sharing options...
PD_Steve Posted July 31, 2006 Share Posted July 31, 2006 First thing I would do is disable the credit card module for OsCommerce and then do a full search for any known bugs with this module via google. Second, I would not ship the goods to Ali Babba and then you dont need to reclaim the money back! Was it this person that actually put the "there is an exploit in oscommerce that you need to fix" which appears in that email. If so, it appears they were just trying to be helpful rather than trying to cause you problems (unless they did it repeatedly). I noticed your order number for this email was 7, so I would imagine this is a new shop. What payment processor did you use or are you just using the standard cc module? How are you using that module to gain payment (I assume you have a merchant account)? Most people use processors like Worldpay, ProtX, Paypal, etc. Sorry if that did not explain the problem you have, but I am just a little worried that your using a method to get money that is not actually feasible and maybe you need to look at getting a payment processor like the ones mentioned above. Cheers Steve My Toolbox: Crimson Editor, Adobe Photoshop CS2.0, Expression Web, Macromedia Suite 8.0, Cinema 4D, Nvu. Link to comment Share on other sites More sharing options...
MarcoZorro Posted July 31, 2006 Share Posted July 31, 2006 Take a read of http://www.oscommerce.com/forums/index.php?showtopic=218671 Link to comment Share on other sites More sharing options...
zhexiang Posted July 31, 2006 Author Share Posted July 31, 2006 "there is an exploit in oscommerce that you need to fix" is actually generated by osCommerce when the person done the order. "your order number for this email was 7, so ", yes, it's a new shop, selling templates, ebooks, software, which keeps me wondering if osCommerce is the right thing for selling these kind of digital products. "are you using that module to gain payment (I assume you have a merchant account)?" No, it's hard to open a 3rd-part merchant account, especially in m'sia that practising strict banking policy. First thing I would do is disable the credit card module for OsCommerce and then do a full search for any known bugs with this module via google. Second, I would not ship the goods to Ali Babba and then you dont need to reclaim the money back! Was it this person that actually put the "there is an exploit in oscommerce that you need to fix" which appears in that email. If so, it appears they were just trying to be helpful rather than trying to cause you problems (unless they did it repeatedly). I noticed your order number for this email was 7, so I would imagine this is a new shop. What payment processor did you use or are you just using the standard cc module? How are you using that module to gain payment (I assume you have a merchant account)? Most people use processors like Worldpay, ProtX, Paypal, etc. Sorry if that did not explain the problem you have, but I am just a little worried that your using a method to get money that is not actually feasible and maybe you need to look at getting a payment processor like the ones mentioned above. Cheers Steve Link to comment Share on other sites More sharing options...
ozcsys Posted July 31, 2006 Share Posted July 31, 2006 "there is an exploit in oscommerce that you need to fix" is actually generated by osCommerce when the person done the order. "your order number for this email was 7, so ", yes, it's a new shop, selling templates, ebooks, software, which keeps me wondering if osCommerce is the right thing for selling these kind of digital products. "are you using that module to gain payment (I assume you have a merchant account)?" No, it's hard to open a 3rd-part merchant account, especially in m'sia that practising strict banking policy. If you do not have a merchant account how are planning on processing your credit card payments?? The Knowledge Base is a wonderful thing. Do you have a problem? Have you checked out Common Problems? There are many very useful osC Contributions Are you having trouble with a installed contribution? Have you checked out the support thread found Here BACKUP BACKUP BACKUP!!! You did backup, right?? Link to comment Share on other sites More sharing options...
rabbitseffort Posted August 1, 2006 Share Posted August 1, 2006 I would be interested if someones finds the loophole, I have a few clients that use a VT to process their payments via the standard osc cc module--but even if someone bypasses it it doesnt matter since no money is ever charged--however it could get annoying-- I tried to replicate it on a test site but cant, so I would love to know, curiosity is killing this cat! "I must admit that I personally measure success in terms of the contributions an individual makes to her or his fellow human beings." ---Margaret Mead--- "The answer is never the answer. What's really interesting is the mystery. If you seek the mystery instead of the answer, you'll always be seeking. I've never seen anybody really find the answer -- they think they have, so they stop thinking. But the job is to seek mystery, evoke mystery, plant a garden in which strange plants grow and mysteries bloom. The need for mystery is greater than the need for an answer. --Ken Kesey" Link to comment Share on other sites More sharing options...
zhexiang Posted August 1, 2006 Author Share Posted August 1, 2006 If you do not have a merchant account how are planning on processing your credit card payments?? Well, now I have registered myself with MoneyBookers.com, but I wonder how secure is it with osCommerce. I will try to find other 3rd party merchant account for me while i try to open US bank account for Paypal outside M'sia... Any recommendation will be useful... Link to comment Share on other sites More sharing options...
zhexiang Posted August 1, 2006 Author Share Posted August 1, 2006 Now, how do you prevent people from changing the url to checkout_success when they haven't make any payment? I have lots of download product and don't want them to download any if they fail to make proper and honest payment... Link to comment Share on other sites More sharing options...
rabbitseffort Posted August 1, 2006 Share Posted August 1, 2006 maybe rename the page? and set the proper filenames in the proper places although, this isnt a real fix "I must admit that I personally measure success in terms of the contributions an individual makes to her or his fellow human beings." ---Margaret Mead--- "The answer is never the answer. What's really interesting is the mystery. If you seek the mystery instead of the answer, you'll always be seeking. I've never seen anybody really find the answer -- they think they have, so they stop thinking. But the job is to seek mystery, evoke mystery, plant a garden in which strange plants grow and mysteries bloom. The need for mystery is greater than the need for an answer. --Ken Kesey" Link to comment Share on other sites More sharing options...
Guest Posted August 1, 2006 Share Posted August 1, 2006 Now, how do you prevent people from changing the url to checkout_success when they haven't make any payment? I have lots of download product and don't want them to download any if they fail to make proper and honest payment... You change the way the checkout process operates. The weakness is with the final form that is submitted to the gateway instead of going to the store itself. Because you do not get a chance to validate the form fields. Once you do that even COD cannot be bypassed without the fields validation. http://www.oscommerce.com/forums/index.php?s=&...st&p=859644 Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.