Pharkie Posted February 3, 2004 Share Posted February 3, 2004 Or you could enable MD5 to improve things a bit Worldpay problems This page explains the problems with Select Junior better than I can. I can confirm though, that the issues it outlines are still present and affect anyone using Worldpay, including via the OSC contribution. That page doesn't include my technique of using a Javscript debugger, which is more likely to work than the way it suggests. So yeah MD5 would sort the main part of the insecure-ness out. The contribution needs to be changed for that to work, I think, but that would be simple. IMHO a 12-character password is secure enough, and as for its point about the callback - I've not looked into that but what it's saying makes sense. One way or the other, there are some pretty big problems with the current OSC worldpay system. If you check your orders by hand and ensure the amounts/totals make sense, then you'll be OK. Quote Link to comment Share on other sites More sharing options...
nainesh Posted February 6, 2004 Share Posted February 6, 2004 sorry i should readthrough the whole thread. The answer was in there. Worldpay doesn't work with STS Template. There is a message suggesting it can be used but i was left a little confused. has anyone managed to get worldpay and sts working together? cheers Quote Link to comment Share on other sites More sharing options...
Guest Posted February 10, 2004 Share Posted February 10, 2004 I have just set up worldpay on a new site and when doing a test I noticed the new look pages for the first time on the worldpay server. That big black bar at the top of the site and the huge padlock couldnt look more different from the site. Has anyone had any luck with changing the look of the payment pages? Quote Link to comment Share on other sites More sharing options...
Pharkie Posted February 11, 2004 Share Posted February 11, 2004 Yeah.. My payment pages look good enough - not great, but good enough. You need to upload HTML for it to use in the Header and Footer, and use Styles. Go through and change all the colours it uses to match your site. It is possible but it's more work than it should be.. Quote Link to comment Share on other sites More sharing options...
gameessentials Posted February 13, 2004 Share Posted February 13, 2004 Come on, some one must have some better solutions for the 1062-Duplicate entry error??? Quote Link to comment Share on other sites More sharing options...
Pharkie Posted February 14, 2004 Share Posted February 14, 2004 Come on, some one must have some better solutions for the 1062-Duplicate entry error??? Nimmit solved his problem by the looks of things. Read his posts, and if not, get in touch and see if his solution might work for you. I thought it was to do with cookie addresses, and Nimmit said: If anyone else has this problem in the future it was to do with my https cookie domain set up in configue.php I had a typo! Typical it's the little things that can really mess you up! Good luck.. Quote Link to comment Share on other sites More sharing options...
Guest Posted February 15, 2004 Share Posted February 15, 2004 Hiya, in refrence to the dubplicate entry error. Have a good read of this wiki its just the basic configure file that needs to be checked in this situation. Make sure that you have every setting as it should be. I tried so many things around the time I had that problem. And I'm pretty sure this was what was causing it. Nimmit Quote Link to comment Share on other sites More sharing options...
gameessentials Posted February 15, 2004 Share Posted February 15, 2004 Hi, Ived tried pretty much everything in my config.php. this is what it looks like: define('HTTP_SERVER', 'http://www.gameessentials.co.uk'); // eg, http://localhost - should not be empty for productive servers define('HTTPS_SERVER', 'https://webatwork2.cheapdomainsuk.com/~gameesse'); // eg, https://localhost - should not be empty for productive servers define('ENABLE_SSL', true); // secure webserver for checkout procedure? define('HTTP_COOKIE_DOMAIN', 'www.gameessentials.co.uk'); define('HTTPS_COOKIE_DOMAIN', 'webatwork2.cheapdomainsuk.com/~gameesse'); define('HTTP_COOKIE_PATH', '/catalog/'); define('HTTPS_COOKIE_PATH', '/catalog/'); define('DIR_WS_HTTP_CATALOG', '/catalog/'); define('DIR_WS_HTTPS_CATALOG', '/catalog/'); define('DIR_WS_IMAGES', 'images/'); define('DIR_WS_ICONS', DIR_WS_IMAGES . 'icons/'); define('DIR_WS_INCLUDES', 'includes/'); define('DIR_WS_BOXES', DIR_WS_INCLUDES . 'boxes/'); define('DIR_WS_FUNCTIONS', DIR_WS_INCLUDES . 'functions/'); define('DIR_WS_CLASSES', DIR_WS_INCLUDES . 'classes/'); define('DIR_WS_MODULES', DIR_WS_INCLUDES . 'modules/'); define('DIR_WS_LANGUAGES', DIR_WS_INCLUDES . 'languages/'); define('DIR_WS_DOWNLOAD_PUBLIC', 'pub/'); define('DIR_FS_CATALOG', '/home/gameesse/public_html/catalog/'); define('DIR_FS_DOWNLOAD', DIR_FS_CATALOG . 'download/'); define('DIR_FS_DOWNLOAD_PUBLIC', DIR_FS_CATALOG . 'pub/'); // define our database connection define('DB_SERVER', 'localhost'); // eg, localhost - should not be empty for productive servers define('DB_SERVER_USERNAME', 'xxxxxx'); define('DB_SERVER_PASSWORD', 'xxxxxx'); define('DB_DATABASE', 'xxxxxx'); define('USE_PCONNECT', 'false'); // use persistent connections? define('STORE_SESSIONS', 'mysql'); // leave empty '' for default handler or set to 'mysql' Ive spoken to Ady who had the same problem, he has solved it by setting his HTTPS_COOKIE_DOMAIN the same as his HTTP_COOKIE_DOMAIN. This didnt work for me, I starting to thing that this is a problem with my Shared SSL. Do you think buying a dedicated SSL could cause this problem? Im also getting the Paypal IPN error. Cheers Rob Quote Link to comment Share on other sites More sharing options...
Guest Posted February 15, 2004 Share Posted February 15, 2004 Hiya, I just started looking into this problem and in the process BROKE MY STORE AGAIN (panic!!!) But have now fixed it again! (phew!). I'm not saying that this is right for everyone but in MY CASE it is todo with that cookie domain. If i put a http or https on the front of it it gives the duplicate entry problem. The moment I take it away its fixed again... whether or not this going to be the case for everyone or not is another question. Keep at it Nimmit p.s. both my http & https cookie things are the same Quote Link to comment Share on other sites More sharing options...
Guest Posted February 18, 2004 Share Posted February 18, 2004 I have put a fix in a new virsion of the contribution. Your configure settings are correct for this new contribution. The only file that I have changed is catalog->includes->modules->payment->worldpay.php Worldpay 4.0 version 1.5 Regards Nimmit Quote Link to comment Share on other sites More sharing options...
gameessentials Posted February 19, 2004 Share Posted February 19, 2004 Thanks alot for your help nimmit :) Rob Quote Link to comment Share on other sites More sharing options...
Guest Posted February 24, 2004 Share Posted February 24, 2004 Does anyone know how to pass the WP reference number back and have it included on the invoice or anywhere else? It's a pain having to find it when a customer returns something, if it were on the actual invoice or order page it would make life easier. Quote Link to comment Share on other sites More sharing options...
Pharkie Posted February 25, 2004 Share Posted February 25, 2004 heh - that was one of the things I was going to look at wasn't it.. I'm in a good mood today so I might see what I can do.. If I don't, feel free to kick me up the ass on this. Adam Quote Link to comment Share on other sites More sharing options...
Flat Eric Posted February 26, 2004 Share Posted February 26, 2004 When the order arrives, copy the WP Transaction ID and paste it into the account history. If you get a return you can quickly locate the WP ID via the shop order number. Not perfect though it does work. Greg Quote Link to comment Share on other sites More sharing options...
kdp Posted March 5, 2004 Share Posted March 5, 2004 I've got a problem that I think is due to a cookie stored on my box somewhere as a result of a failed transaction. Worldpay processes the transaction and sends its confirmation emails. The call back url http://<wpdisplay item="MC_callback"> produces the WP box at the top of the page and the header beneath it. The rest of the page won't load and the sale is not confirmed/logged by OSC. WP does not send a failure email and there are no warningmessages. Although I go through the WP process. The goods are still in my cart. Can anyone help and shed light on what I'm missing. (MS2.2 - WP 4 1.5b - no other contribs) regards Kev Quote Link to comment Share on other sites More sharing options...
Guest Posted March 6, 2004 Share Posted March 6, 2004 Its sounds like maybe one of the files you uploaded is corrupt. I think its called wp-callback.php or similar. Try re-uploading the files and see what happens. Quote Link to comment Share on other sites More sharing options...
Rwfresh Posted March 15, 2004 Share Posted March 15, 2004 Hi Guys, I just setup the Worldpay module in a ms2.2 installation. I am having the same callback problem. I have checked the installation id and it is correct. Any other ideas? As a result of no callback the cart remains full and order is not put into osc. Thanks! rw Quote Link to comment Share on other sites More sharing options...
Rwfresh Posted March 15, 2004 Share Posted March 15, 2004 Once the order is confirmed by WorldPay the customer is sent to this base URL: https://select.worldpay.com/aequitas/card? with the following text: Thank You. This was NOT a live transaction - no money has changed hands Thank you, your payment was successful Merchant's Reference: osCsid=f0acc5a58dc031838cba408ac70e1dbf WorldPay Transaction ID: 64803702 Please contact WorldPay immediately if there has been a problem making your payment. Any ideas are appreciated. thanks, rw Quote Link to comment Share on other sites More sharing options...
Ian-San Posted March 15, 2004 Share Posted March 15, 2004 Probably, you are in Test Mode. Set to live in Admin. The mode you are working in (100 = Test Mode Accept, 101 = Test Mode Decline, 0 = Live Quote Ian-san Flawlessnet Link to comment Share on other sites More sharing options...
Rwfresh Posted March 15, 2004 Share Posted March 15, 2004 I will try it, So the callback does not work in test mode? ALSO, Is there a reason this mod uses dynamic callback? ie: builds the callback url? Is this strictly to support multiple languages? I've tried plugging the callback URL right into the Worldpay panel and it works fine. ie: www.mydomain.com/wpcallback.php instead of: http://<wpdisplay item="MC_callback"> When i use http://<wpdisplay item="MC_callback"> it does not work (in test mode or otherwise). I have even tried hardcoding in my callback url to modules/payment/worldpay.php file ie: 143: tep_draw_hidden_field('MC_callback', 'http://www.mydomain.com/wpcallback.php?language=' . $language_code) . 143: tep_draw_hidden_field('MC_callback', $worldpay_callback[1] . '?language=' . $language_code) . and the dynamic callback still will not work. I can see the hidden field is in fact there and is being passed to worldpay. Anyway it is working when i put the callback directly into the worldpay panel. Is there any reason i shouldn't be doing this?? Thanks! rw Quote Link to comment Share on other sites More sharing options...
ivanteo Posted March 26, 2004 Share Posted March 26, 2004 Hi peeps, Not sure if anyone has seen this potential security risk. After I've done a checkout and redirected to the WorldPay page, i am able to enter this: www.mystore.com/wpcallback.php?transStatus=Y, and the order will be processed as success even without paying. Ivan. Quote Link to comment Share on other sites More sharing options...
ivanteo Posted March 26, 2004 Share Posted March 26, 2004 (edited) What I propose is to change the following code in /catalog/wpcallback.php if(isset($transStatus) && $transStatus == "Y") { ? to $transStatus = ""; $transStatus = $_POST['transStatus']; if(isset($_POST['transStatus']) && $transStatus == "Y") { ? Edited March 26, 2004 by ivanteo Quote Link to comment Share on other sites More sharing options...
Pharkie Posted March 26, 2004 Share Posted March 26, 2004 It is a security hole yes, and there are several with this module that I've already hinted at previous in the thread. Well spotted though! As for code, I'd replace your: $transStatus = ""; $transStatus = $_POST['transStatus']; if(isset($_POST['transStatus']) && $transStatus == "Y") { with.. if(isset($_POST['transStatus']) AND ($_POST['transStatus'] == "Y")) { I use 'AND' rather than '&&' - i believe it's better in most situations. It's probably no more secure though - you could construct a form that POSTs 'transStatus=Y' to wpcallback.php and it would probably work just like faking the GET variable as you're suggesting. The answer is to make use of Worldpay's MD5 passwords and other security features, detailed in its integration guide and missing from the current OSC module. Quote Link to comment Share on other sites More sharing options...
ivanteo Posted March 26, 2004 Share Posted March 26, 2004 Haha forgive me for my sloppy programming. :D Quote Link to comment Share on other sites More sharing options...
robr Posted March 27, 2004 Share Posted March 27, 2004 Hi, any one any ideas on the callback failure? I have the same problem, if I put http://<wpdisplay item="MC_callback"> into the WP callback URL I get a failure. Replacing the callback URL with www.mysite.com results in a callback success and everything is fine. Using osCommerce MS2 with Worldpay 4.0 v1.4 Robr Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.