Jump to content
  • Checkout
  • Login
  • Get in touch

osCommerce

The e-commerce.

!!! HELP !!!!


Guest

Recommended Posts

I am using pal pal ( original that came with ms1 ) and i had 2 orders so far get processed WITHOUT the person actually paying for the products. I verified that paypal transaction never took place. So I decided to test if i could skip the payment part and it was REALLY easy.... Just some slight modification in the url and osCommerce complete's the order process.

 

Does anyone have a fix for this??? or information on it or am I doing something wrong?

 

I do't want to turn the paypal option off, but I am out 50.00 so far.

Link to comment
Share on other sites

Steve,

 

I'd love to hear exactly how you were able to get OSC to complete a transaction through the PayPal payment method without actually paying. I've personally tested the EXTENSIVELY, and to my knowledge, it is NOT possible by just changing some things around in the URL.

 

So, if you could give us very specific directions on how you were able to do this, we could see if we can duplicate it. Otherwiase I'm afraid I'll have to believe that you are exagerating somewhat.

-------------------------------------------------------------------------------------------------------------------------

NOTE: As of Oct 2006, I'm not as active in this forum as I used to be, but I still work with osC quite a bit.

If you have a question about any of my posts here, your best bet is to contact me though either Email or PM in my profile, and I'll be happy to help.

Link to comment
Share on other sites

Also, why anyone would ship something to someone that didn't actually pay is bayond me.

-------------------------------------------------------------------------------------------------------------------------

NOTE: As of Oct 2006, I'm not as active in this forum as I used to be, but I still work with osC quite a bit.

If you have a question about any of my posts here, your best bet is to contact me though either Email or PM in my profile, and I'll be happy to help.

Link to comment
Share on other sites

Sorry B, That was a poor choice for a title.

 

Wiz. The line should read

 

I do't want to turn the paypal option off, but I WOULD BE out 50.00 so far.

--------------------

 

Wiz- take this to Private Message.... I got hit with a $hit load of bogus orders tonight after posting this.

 

I will show you how to edit the url to recreate this.

Link to comment
Share on other sites

Well, Steve just proved to me that this is possible.

 

PayPal users BEWARE. I imagine the downloadable products are the most in danger, because at least orders that have to be shipped can be verified that they have actually received finds.

-------------------------------------------------------------------------------------------------------------------------

NOTE: As of Oct 2006, I'm not as active in this forum as I used to be, but I still work with osC quite a bit.

If you have a question about any of my posts here, your best bet is to contact me though either Email or PM in my profile, and I'll be happy to help.

Link to comment
Share on other sites

I'm a little hesitant to say on the fourm, for fear that everyone will be trying it, and its not exactly straight forward.

 

Someone without familiarity with OSC would not be able to do it.

 

I'll PM you.

-------------------------------------------------------------------------------------------------------------------------

NOTE: As of Oct 2006, I'm not as active in this forum as I used to be, but I still work with osC quite a bit.

If you have a question about any of my posts here, your best bet is to contact me though either Email or PM in my profile, and I'll be happy to help.

Link to comment
Share on other sites

so tell us what is the best thing to do right now, TURN OFF paypal option ?

(which is off for me anyway)

Just want to know how you all deal with such things...

 

This is very important to many osC users, paypal is used Everywhere so....

 

I am interested in such things....

 

 

Security is TOO important these days

Robert

 

We all need to learn it once, how hard it may seem when you look at it, also you will master it someday ;)

Link to comment
Share on other sites

Personaly, I'm undecided.

 

I'll probably leave it on, but verify all payments before shipping.

-------------------------------------------------------------------------------------------------------------------------

NOTE: As of Oct 2006, I'm not as active in this forum as I used to be, but I still work with osC quite a bit.

If you have a question about any of my posts here, your best bet is to contact me though either Email or PM in my profile, and I'll be happy to help.

Link to comment
Share on other sites

And no iinstant downloads...

 

Only after verified by a real person.

 

poo..

 

Hope someone is able to come up with a fix...

[no external urls in signatures please, kthanks]

Link to comment
Share on other sites

Hello All,

 

Just as a quick update. I am hope that between wiz and I we can figure something out to handle the paypal problem. It seems to be a weakness on paypals side, but the weird thing is I can create it on my laptop, but not my desktop. WIZ, I agree with your last PM, I also only got limited info displayed.

 

I am with Wiz on this one. I want to research the problem; I fear if I post this all will be in danger. The instant downloads are the biggest threat.

 

Just to fill everyone in I received 94 bogus paypal orders yesterday so watch your ORDERS !!!!!!!!!!!!!!!!!!!! I have been verifying the orders to the paypal e-mail confirmations.

 

Lastly, I am going hunting for NON-oscommerce carts to see if I can duplicate the same problem. If so, then I will be SURE this is a paypal problem.

 

 

Lastly, I am going hunting for NON-oscommerce carts to see if I can duplicate the same problem. If so, then I will be SURE this is a paypal problem.

Link to comment
Share on other sites

I have been able to duplicate the bug on other shopping systems as well.

It is a problem with PayPal, or any payment processor that relies on the <form> POST method.

 

Mattice

"Politics is the art of preventing people from taking part in affairs which properly concern them"

Link to comment
Share on other sites

Thanks for the info. I guess updating to the new paypal will NOT solve our problem beacuse it lies on paypal's side. Is this why authorizenet uses the dll to pass information and not post var's? Any ideas mattice?

Link to comment
Share on other sites

Yeah it appears to also happen with the IPN though. You were able to place an order on my shop last night without paying, and I'm using IPN.

-------------------------------------------------------------------------------------------------------------------------

NOTE: As of Oct 2006, I'm not as active in this forum as I used to be, but I still work with osC quite a bit.

If you have a question about any of my posts here, your best bet is to contact me though either Email or PM in my profile, and I'll be happy to help.

Link to comment
Share on other sites

2checkout.com avoids this problem by including a validation code in the information that 2checkout.com sends back to the shopping cart script. The validation code is computed as the MD5 digest of several parameters, including the cost, order number and a "secret" keyword that is entered into your account information on the 2checkout.com side. The secret keyword is not stored in any form, nor passed in any HTML request. Assuming that the keyword is chosen appropriately (mixture of upper/lower case, numbers, etc.), it's not possible for someone to spoof the validation code.

 

However, I don't think that the osCommerce script checks the validation code in its 2checkout.com payment module.

Link to comment
Share on other sites

Honestly, at this point, I'm just disgusted with PayPal in general.

 

They have gone from being my one an only CC processor, and my personal favorite, to being the greatest sucurity rsik on my site.

-------------------------------------------------------------------------------------------------------------------------

NOTE: As of Oct 2006, I'm not as active in this forum as I used to be, but I still work with osC quite a bit.

If you have a question about any of my posts here, your best bet is to contact me though either Email or PM in my profile, and I'll be happy to help.

Link to comment
Share on other sites

Thanks Dave.

 

I think 2checkout.com is more of an equal to authorize.net. Paypal is a more common market/auction type bidding system. for better or worse, Paypal will need to look at this flaw.

Link to comment
Share on other sites

mattice

 

Did you ever call paypal tech and expain this? I wonder id they would allocate a resource to look at the problem.

Link to comment
Share on other sites

hey All,

 

Dreamscape is right. The IPN contribution fixes this problem completly.

 

It only looks to the hacker as if the order was successfull, but the IPN module doesn't update the porder to "Panding" as it doesn when someone pays with paypal, and you don't get an email saying that there was an order.

-------------------------------------------------------------------------------------------------------------------------

NOTE: As of Oct 2006, I'm not as active in this forum as I used to be, but I still work with osC quite a bit.

If you have a question about any of my posts here, your best bet is to contact me though either Email or PM in my profile, and I'll be happy to help.

Link to comment
Share on other sites

Hehehehe!

 

I love it when my initial advice was right to start with...even when I didn't know what the original problem was....... :lol: :lol: :lol: :lol:

Link to comment
Share on other sites

Got, if my fingers get any fatter, I'll have to type with my forehead.

 

"Panding"?

-------------------------------------------------------------------------------------------------------------------------

NOTE: As of Oct 2006, I'm not as active in this forum as I used to be, but I still work with osC quite a bit.

If you have a question about any of my posts here, your best bet is to contact me though either Email or PM in my profile, and I'll be happy to help.

Link to comment
Share on other sites

I heard you thinking it. :lol:

-------------------------------------------------------------------------------------------------------------------------

NOTE: As of Oct 2006, I'm not as active in this forum as I used to be, but I still work with osC quite a bit.

If you have a question about any of my posts here, your best bet is to contact me though either Email or PM in my profile, and I'll be happy to help.

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...