Jump to content
  • Checkout
  • Login
  • Get in touch

osCommerce

The e-commerce.

Recommended Posts

Posted

That's interesting byunkook....the user authentication failed normally implies that your PartnerID, VenderID, UserID, or Password is incorrect. I have the same VenderID as PartnerID I do not know if this is the same for others. Are the test transactions showing up in the verisign manager with the pfpro_file.exe? If so thats cool.

 

Additionally, I've thought of a method to enhance security partaining to the previous discussion with Jazz. I think I can write out an XML file containing all the pertinant information then remove the file (this way, the data would not be viewable from a "ps" command). However, there is the fact that a file will exist for that timeframe with cc data. At anyrate I may add that enhancement next.

Posted

(Sometimes the problem with written language is that the tone of voice cannot be properly expressed :)).

 

When I'm learning I ask questions. I appreciate the time you spent on working on this contribution and answering my questions. I in no way meant to accuse you of "opening security holes" or wanted to start a "security debate" and if it sounded like that I sincerely apologize :huh:. I'm just trying to understand the innerworkings of payflow and have had a hard time finding this kind of information from verisign or the PHP, *nix documentation, etc.

 

I'm trying to gage the level of risk there is with various systems under various conditions and then make a determination on what I'm willing to do. Basicially: What is the most secure Payflow Pro setup in a shared environment (where some users may obtain SSH)?

And is the most secure option in this environment an acceptable risk (i.e. would I be neglibable in using that kind of system)?

 

Once again, I apologize if you felt attacked. :huh:

 

p.s.

Though you are incorrect in stating that "any shared environment" is capable of being compromized.

Sorry, statement was actually a question and I'm thinking of any shared environment where others could have SSH access. (notice the 'possible').

Posted

Jazz,

Good points, I in no way feel attacked and do apologize if I came on strong...I just despise security issues when the developers accused when the majority of security breaches I've seen were the sole responsibility of the System Administrator (my comment on the security of the server being paramount to the security of the code). You are correct in your persuit of security as it is a constant concern for all on the internet. I believe Verisigns solution to the "ps" question is thier pfpro-file transmission that requires a small XML parser to be written to transmit and recieve credit card transations. I believe that will be my next enhancement.

Posted

What I meant by working is the the website, not the test transcation.

 

I don't see the test transaction in the verisign manager.

 

I guess I have to use the pfpro.exe with right input in the fields.

 

 

My input in the fields are for the testing:

 

PayflowPro Host Address: test-payflow.verisign.com

 

PayflowPro Host Port: 443

 

PayflowPro Transaction Type: S

 

PayflowPro Transaction Tender: C

 

PayflowPro Partner : actual partner name that I put in when I log in to verisign manager.

 

PayflowPro Vendor: arttest&PARTNER=VeriSign

 

PayflowPro User : actual user name that I put in when I log in to verisign manager.

 

PayflowPro Password : actual password that I put in when I log in to verisign manager.

 

PayflowPro Transaction Timeout: 45

 

I have no proxy server.

 

Can you correct me if my inputs are wrong?

 

 

Thank you.

Posted

Posting while I was writing...I think it's a great idea, Marshall.

 

I've been on the web/IRC all day trying to find out how big of a risk it is. Some said that the PHP pfpro functions may not show up in ps...Basicially conflicting information. I was trying to think of a way to encrypt the parameters sent to the executable...:tellme:?

 

Either way I think the XML file idea is a good one. :thumbsup: Even better if that file were somehow encrypted so that if anybody did have access to that file they would still have to crack the encryption.

 

Just now somebody suggested a kernel parameter which prohibits users from listing other processes other than their own. Don't know if this is available for Red Hat servers (I run FreeBSD at home but most servers are Red Hat).

Posted

byunkook,

My Partner name is Verisign (I use them).

 

My Vendor name is the same is the same as my User name which I put into the verisign manager.

 

If you are setup like me, you will need to put Verisign into the Partner name field and your username into the Vendor and User fields.

 

Let me know if this works for you.

  • 1 month later...
Posted

I am having similar problems.

I am running this script on linux

I can run the test connection successfully receiving the 0 response from the command line.

If I put the final config to

PayflowPro Executable

/verisign/linux/bin/pfpro

and run a transaction I get an error connecting to host

If I put the final config to

PayflowPro Executable

/verisign/linux/bin/pfpro-file

I get no error and it says all went through, however when I check through the verisign manager the tests don't show up.

 

any ideas?

thanks in advance

  • 3 weeks later...
Posted

I'm really new at this so maybe I'm missing something obvious but when I installed the fix you posted, I got the following error when I went into the admin module:

 

Fatal error: Cannot redeclare pfpro_init() in /var/www/html/includes/functions/php_pfpro.php on line 61

 

I grep'ed through the code and pfpro_init is only declared in one place. Any clues?

  • 2 months later...
Posted

I had that "cannot redeclare pfpro_init()" problem too. The I founf out that PHP had been recompiled to include the pfpro functions. I removed the one include of php_pfpro and it worked. Well, now I'm getting unexplained decline errors, but that's something else.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Unfortunately, your content contains terms that we do not allow. Please edit your content to remove the highlighted words below.
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...