Jump to content
  • Checkout
  • Login
  • Get in touch

osCommerce

The e-commerce.

Paypal IPN - Massive Security Hole (?)


akbal

Recommended Posts

Let me preface this by saying that I'm prepared to accept that I'm just not doing something right, however:

 

I think there's a hole big enough to fit a Mac truck through in the Paypal IPN module.

 

Say you've got an item that's a downloadable item worth $25. Bob checks out using Paypal IPN and is directed to Paypal, where he's presented with option of paying $25 for his purchase. Meanwhile, his order has already been created with a status of Paypal Processing - download is not yet available.

 

Being the sneaky sort, Bob checks the URL at Paypal and, lo!, there, not particulary well hidden in the URL is the PRICE of the item he's about to purchase. Bob snickers to himself and changes the price from $25.00 to $0.01, then resubmits. Sure enough, Paypal pops up a fresh page that allows him to pay $0.01 for this item now.

 

Bob completes his transaction, and this is where everything falls apart. Paypal sends the IPN to osCommerce saying that order # XX for Bob Dobbs has been VERIFIED.. The IPN module says VERIFIED? Great, let me just update the order status to "Paid" or whatever it's been configured to do. IT DOES NOT CHECK TO SEE HOW MUCH HAS BEEN PAID, OR IF THE AMOUNT PAID EQUALS THE AMOUNT THAT THE ORDER IS WORTH.

 

In this case, Bob's $25 order is now ready for download for $0.01. Quite a bargain, eh?

 

I've tested this over and over again, using cURL, not using cURL, test mode, not test mode, etc. This is with Paypal IPN v0981 for milestone 2.

 

Seems to me that a crucial step has been left out of the order verification process - but as I say, I'd not be surprised to find out I've just screwed something up :P Anyone else getting this?

Link to comment
Share on other sites

Sure...you found a problem and something that should be addressed. I wouldnt consider it a security hole. Nothing is actually compromised. We always check the order anyways when they are paypals. Wouldn't you think it odd someone paying you with paypal only a penny? Well...just make sure to manually check all orders.

Link to comment
Share on other sites

I just went and read the IPN manual provided by PayPal:

 

https://www.paypal.com/en_US/pdf/ipn.pdf

 

On page 5 step 5 it states what needs to take place after payment is recieved:

 

When you receive a VERIFIED response, you need to perform several checks before fulfilling

the order (an INVALID response should be treated as suspicious, and should be investigated).

  • Confirm that the payment status is ?Completed,? since IPNs are also sent for status types
    such as ?Pending? or ?Failed.?
  • Check that the transaction ID is not a duplicate ? this prevents a fraudster from using an
    old, completed transaction.
  • Validate that the ?receiver_email? is truly your account ? this prevents the payment
    from being sent to a fraudster?s account.
  • Check other transaction details, such as item number and price, to confirm that the price
    hasn?t been changed.

As you can see PayPal provides the information needed to make sure what is described doesn't happen. If you look at the last bullet point it talks specifically about this issue.

 

Keep in mind this is still a beta release. I also use this module in my site, but do not have any downloadable items, and I verify all my payments before taking any actions. Regardless I would like to see this module working 100% and taking full use of all the IPN features.

 

I do not know if Pablo Pasqualino has time to correct this, if not I will try to find the time to do this, however, it will take me longer since I will have to look through unfamilar code. From what I can roughly see it is fairly complicated and spread accross 22 files that are either modifications in core files, or new files.

 

We need to give Pablo a chance to accept or decline fixing this, since he would be the best suited for it and out of respect.

 

In the mean time I will attempt to contact him and see where he stands on this, and I will also start familiarizing myself with his code, and the IPN specifications just in case.

 

-Aalst

Link to comment
Share on other sites

Well..simply put. On the order form it says what the person should have paid. If you got anything less in your paypal account then you have a problem. I log into paypal to verify ALL the orders I have from IPN but I never look to see in OSC if the paypal sale was verified...why bother...

 

You also have to be careful with Paypal to ship only to the confirmed address if you want to get paypal protection policy for sellers. I dont ship anything but the confirmed address. I see fraud orders all the time with paypal. I just cancel them and wait for paypal to take the money back.

Link to comment
Share on other sites

Sure...you found a problem and something that should be addressed.  I wouldnt consider it a security hole.  Nothing is actually compromised.  We always check the order anyways when they are paypals.  Wouldn't you think it odd someone paying you with paypal only a penny?  Well...just make sure to manually check all orders.

Of course, we will be manually checking all orders until this bug is fixed, but it falls far short of this module's potential to have to be doing so.

 

Since I'm offering a downloadable product, the idea was/is to use the IPN to update the order status to a level that makes the download available (using the downloads controller.) The aim being to provide the customer with the immediate gratification that comes from shopping on the web.

 

And yes, of course I would think it was odd to be underpaid - but in the case of automatically enabled downloads, the damage would be done before the shop owner noticed.

 

I claim it as a security problem because the thing works just well enough to let you believe it can be trusted. :)

 

Doesn't seem like it should be too much work to add an extra check against order value. Probably could spend a good deal of time trying to figure out how to deal with under-paid orders, though... Customer/administrator notification, etc.

 

If it's still an issue when I finally get the rest of my shop together I'll gladly lend a hand to get it fixed, Pablo has done some really good work with this one.

Link to comment
Share on other sites

Well..simply put. On the order form it says what the person should have paid. If you got anything less in your paypal account then you have a problem. I log into paypal to verify ALL the orders I have from IPN but I never look to see in OSC if the paypal sale was verified...why bother...

 

You also have to be careful with Paypal to ship only to the confirmed address if you want to get paypal protection policy for sellers. I dont ship anything but the confirmed address. I see fraud orders all the time with paypal. I just cancel them and wait for paypal to take the money back.

 

It is a major security hole that needs to be address and will be in the very near future. It is a security hole because it allows people to change there order with out it being caught and corrected automaticly. It allows people who purchase things that are process AUTOMATICLY to get there products before a manual process can catch it. This mainly effects PURCHASED DOWNLOADS.

 

It is also a major bug because it was designed without following the PayPal IPN specifications that are published on the PayPal website. Therefore it needs to be brought up to their specifications.

 

-Aalst

Link to comment
Share on other sites

Hi Aalst

 

Thanks for the alert

 

It was already reported by a guy that was also selling download products and had the same problem.

 

Price verification is not already implemented and that problem should have been told and documentated long time ago. :(

 

It will surely be included on the next release of the module: v0.99

It is already being developed with some changes on the configuration scripts.

 

I can not finish the new release until I finish another job I am currently doing, but as soon as I got the new version working I will release.

 

v0.99 will only work on Milestone 2, but I think I will write the fix code for those using v0.971 (for Milestone 1) since a lot of people is using M1.

 

Sorry for that problem and I hope to have the new version asap.

 

Best regards

Link to comment
Share on other sites

Hi there,

 

I have a "kind of" fix for this. It will let you set the minimum payment that will acitvate a download/succesful transaction.

 

open paypal_notify.php (in the root) and find this line:

 

if (ereg('VERIFIED',$paypal_response)) {
   $response_verified = 1;
   $ipn_result = 'VERIFIED';

 

And change it to this:

 

if ($mc_gross < 0.50) {
         $response_invalid = 1;
         $ipn_result = 'INVALID';
       

} else if (ereg('VERIFIED',$paypal_response)) {
   $response_verified = 1;
   $ipn_result = 'VERIFIED';

 

A payment of $0.50 or less now results in an invalid ipn_result and thus downloads won't be activated. I would suggest that you set the price at the lowest priced product - at least you will get some money and they will probably give up trying to rip you if it won't work at $0.01

 

You can also give them a nasty message too by making some changes to checkout_success.php (in the root). I can't remember exactly what I did, but here is the code - you will be able to add it easily enough - I think i just added the extra if statement:

 

if ($paypalipn['mc_gross']<0.99) { 
   $NAVBAR_TITLE_2 = PAYPAL_NAVBAR_TITLE_2_NASTYMESSAGE; 
   $HEADING_TITLE = PAYPAL_HEADING_TITLE_NASTYMESSAGE; 
   $TEXT_SUCCESS = PAYPAL_TEXT_SUCCESS_NASTYMESSAGE; 
    $cart->reset(TRUE);

} else if ($paypalipn['ipn_result']=='VERIFIED') {
   if ($paypalipn['payment_status']=='Completed') {
     $NAVBAR_TITLE_2 = PAYPAL_NAVBAR_TITLE_2_OK;
     $HEADING_TITLE = PAYPAL_HEADING_TITLE_OK; 
     $TEXT_SUCCESS = PAYPAL_TEXT_SUCCESS_OK; 
   } else if ($paypalipn['payment_status']=='Pending') { 
     $NAVBAR_TITLE_2 = PAYPAL_NAVBAR_TITLE_2_PENDING; 
     $HEADING_TITLE = PAYPAL_HEADING_TITLE_PENDING; 
     $TEXT_SUCCESS = PAYPAL_TEXT_SUCCESS_PENDING; 
   }; 
   $cart->reset(TRUE); 
 } else if ($paypalipn['ipn_result']=='INVALID') { 
   $NAVBAR_TITLE_2 = PAYPAL_NAVBAR_TITLE_2_FAILED; 
   $HEADING_TITLE = PAYPAL_HEADING_TITLE_FAILED; 
   $TEXT_SUCCESS = PAYPAL_TEXT_SUCCESS_FAILED;

 

If someone pays 99cents or less they get a nasty message like: filthy hacker we know your address from PAYPAL - see you in court :)

 

Hope this helps.

 

Kindest regards

Lobos

Link to comment
Share on other sites

Hey pablo could you add the code for a hit to the database to get the value for the product? - this would be better because then you could have the correct price of the product :)

Link to comment
Share on other sites

If someone wants to implement Lobos' work around great, however I wouldn't recommend anyone release another PayPal IPN since Pablo already developing a new release with a fix for this problem.

 

I would prefer to wait for a release for the orignal author since he is going to do it since he is the most familiar with his code. If he couldn't do or didn't want to then having someone else pick up the project would be great.

 

That is just my opinion...

 

-Aalst

Link to comment
Share on other sites

Someone had to give a fix for this in the meantime though, as I bet a lot of people started sweating when they heard about this - I know I did!!!

 

All it will take is a hit to the database to get the value for the product and it will be done, this could save pablo creating a version just for ms1... This will not be another version, it is just a patch for people qho don't want to upgrade - I know I don't becuase I have hacked the hell outta the module LOL

 

Kindest regards

Lobos

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Unfortunately, your content contains terms that we do not allow. Please edit your content to remove the highlighted words below.
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...