Security Vulnerabilities in Payment Modules

[SecurePay]

We have found that the majority of the included payment modules in the latest stable version of osCommerce (v2.3.3) are vulnerable and would like to report them to the developers.

 

As an example, we found that the NOCHEX module is vulnerable and it is possible to place an order without actually paying. This is because the before_process function in nochex.php is empty and it does not check the order information (e.g., order number, total price). Actually, NOCHEX is one of the modules we found vulnerable. There are many more including important ones like Paypal. We believe that security issues in the payment modules are very important and should be fixed as soon as possible.

 

Since the vulnerabilities may be exploited in many deployed systems, we are not publicly disclosing the details here. If you are the developer of osCommerce, please contact us for details.

[Guest]

@@SecurePay

 

 

lol.....you posted on a public forum, therefore your unconfirmed claims have been made public. Also, if you are from securepay, then you already know how to contact the developers. As far as I can see, v2.3.3 does not have a payment module vulnerability. However, please submit your fixes on GITHUB for review.

 

 

 

 

Chris

[SecurePay]

We are security researchers not affiliated with any payment services. Sorry if the user name caused confusion. We believe the vulnerabilities detected have not been reported or publicly disclosed before. They have not yet been confirmed by the osCommerce developers, but we have successfully exploited them in our test environment. We did try to contact the developers multiple times but only Nick got back to us, who is no longer with the team.

[Dan Cole]

Why don't you send a PM to Harald Ponce de Leon. I'm sure he would want to hear about this.

[SecurePay]

Why don't you send a PM to Harald Ponce de Leon. I'm sure he would want to hear about this.

 

I'll do that. Thanks.