Full service web hosting, great prices and support. Starts at $1.99/month!
Results 1 to 8 of 8

Thread: Possible security issue in checkout process?

  1. #1
    viswablr
    Guest


    Default Possible security issue in checkout process?

    Hi All,

    I have installed OSCmax 2.5.2 and testing my site. I found a possible security issue. Please clarify the below situation.

    1) Customer logs into 'my account'

    2) Adds an item into cart

    3) Presses 'Checkout' tab (One page checkout not enabled)

    4) Site takes the customer through checkout_shipping.php and then checkout_payment.php

    This is where I found the security issue.

    After step (4), if I manually type the URL "www.storename.com/checkout_success.php", the order gets completed!!! Even before the customer makes the payment....

    In one instance, I noticed that order_process email is also sent to the customer.

    But in some other instances, no email was sent to the customer, but "Your order has been successfully processed" message appears to the customer.

    Please clarify ....

    P.S: I tested this behavious with oscmax store also (That sells the admin manual. There also, I could see similar issue)

    Thanks
    Viswa

  2. #2
    viswablr
    Guest


    Default Re: Possible security issue in checkout process?

    One more update: No need to go through any steps mentioned below.

    Very simple steps:

    1) Add some items into cart

    2) Type the URL: http://storename.com/checkout_success.php

    I am able to see "Your Order has been successfully processed" message.

    regards
    Viswa

    Quote Originally Posted by viswablr View Post
    Hi All,

    I have installed OSCmax 2.5.2 and testing my site. I found a possible security issue. Please clarify the below situation.

    1) Customer logs into 'my account'

    2) Adds an item into cart

    3) Presses 'Checkout' tab (One page checkout not enabled)

    4) Site takes the customer through checkout_shipping.php and then checkout_payment.php

    This is where I found the security issue.

    After step (4), if I manually type the URL "www.storename.com/checkout_success.php", the order gets completed!!! Even before the customer makes the payment....

    In one instance, I noticed that order_process email is also sent to the customer.

    But in some other instances, no email was sent to the customer, but "Your order has been successfully processed" message appears to the customer.

    Please clarify ....

    P.S: I tested this behavious with oscmax store also (That sells the admin manual. There also, I could see similar issue)

    Thanks
    Viswa

  3. #3
    osCMax Developer


    Possible security issue in checkout process?


    Join Date
    Jul 2002
    Location
    Phoenix, AZ
    Posts
    23,134
    Contribute If you enjoy reading the
    content here, click the below
    image to support our site.
    Click Here To Contribute To Our Site

    Total Contributions For

    michael_s     $ 10.00
    Rep Power
    597


    Default Re: Possible security issue in checkout process?

    I see that it goes to checkout success, but the order is not properly completed and no order is stored in the database.

    This is definitely a bug and it should just redirect back to the shopping cart like it does when not logged in.

  4. #4
    osCMax Developer


    Possible security issue in checkout process?


    Join Date
    Jul 2002
    Location
    Phoenix, AZ
    Posts
    23,134
    Contribute If you enjoy reading the
    content here, click the below
    image to support our site.
    Click Here To Contribute To Our Site

    Total Contributions For

    michael_s     $ 10.00
    Rep Power
    597


    1 out of 1 members found this post helpful.

    Default Re: Possible security issue in checkout process?

    I have reproduced this issue and it does pose big problem.

    There are several methods to approach fixing this issue. The quickest hack for immediate help would be to use .htaccess to limit access only to the domains that should be authorized to use it (localhost and your payment processors). I have tested this method and it works pretty well, but your mileage may vary.

    Something like this should help:

    Code:
    #limit access to checkout_process.php to only authorized referring domains
    <Files checkout_process.php>
    SetEnvIf Referer "^http://local\.site\.com" local_referral
    SetEnvIf Referer "^http://remote\.domain\.com" auth_referral
    Order Deny,Allow
    Deny from all
    Allow from env=local_referral
    Allow from env=auth_referral
    </Files>
    Change the domains in the following directives to any domains that legitimately need to access that file:

    SetEnvIf Referer "^http://local\.site\.com" local_referral
    SetEnvIf Referer "^http://remote\.domain\.com" auth_referral

  5. #5
    Senior Member
    Possible security issue in checkout process?


    Join Date
    Sep 2009
    Location
    Vancouver, BC, Canada
    Posts
    501
    Contribute If you enjoy reading the
    content here, click the below
    image to support our site.
    Click Here To Contribute To Our Site

    Total Contributions For

    JRR     $ 180.00
    Rep Power
    76


    Default Re: Possible security issue in checkout process?

    I have been able to reproduce this problem in 2.0.25 as well.
    So I'm assuming that for PayPal remote line would read:

    SetEnvIf Referer "^http://remote\www\.paypal\.com" auth_referral (??)

    Sorry, not clear as to exactly how that environment variable should be set...and reading (Apache definition page for SetEnvIf) just gives me a headache at this hour of the night...

    Thanks!

  6. #6
    osCMax Development Team

    Possible security issue in checkout process?

    ridexbuilder's Avatar
    Join Date
    Jul 2008
    Location
    Haggisland
    Posts
    4,164
    Contribute If you enjoy reading the
    content here, click the below
    image to support our site.
    Click Here To Contribute To Our Site

    Total Contributions For

    ridexbuilder     $ 15.00
    Rep Power
    99


    Default Re: Possible security issue in checkout process?

    Quote Originally Posted by JRR View Post
    ...So I'm assuming that for PayPal remote line would read:

    Code:
    SetEnvIf Referer "^http://remote\www\.paypal\.com" auth_referral
    Nope.
    Code:
    SetEnvIf Referer "^http://www\.paypal\.com" auth_referral
    Might be better to also include - 'www' is so yesterday.
    Code:
    SetEnvIf Referer "^https://www\.paypal\.com" auth_referral

    Developers resource at bitbucket
    *** *** ***
    oscmax.co.uk / ejsolutions.co.uk
    Hosting plans with installation, configuration, contributions, support and maintenance.
    *** FREE osCmax hosting available ***
    oscmaxtemplates.com

  7. #7
    Senior Member
    Possible security issue in checkout process?


    Join Date
    Sep 2009
    Location
    Vancouver, BC, Canada
    Posts
    501
    Contribute If you enjoy reading the
    content here, click the below
    image to support our site.
    Click Here To Contribute To Our Site

    Total Contributions For

    JRR     $ 180.00
    Rep Power
    76


    Default Re: Possible security issue in checkout process?

    Ah - the "remote"in ""^http://remote\www\.paypal\.com"" actually is the prefix of the 'remote' site (paypal.com) - in this case "www".

    Thanks!

    'www' may be so yesterday, but there are still many sites that aren't found without that prefix added...

  8. #8
    Senior Member
    Possible security issue in checkout process?


    Join Date
    Sep 2009
    Location
    Vancouver, BC, Canada
    Posts
    501
    Contribute If you enjoy reading the
    content here, click the below
    image to support our site.
    Click Here To Contribute To Our Site

    Total Contributions For

    JRR     $ 180.00
    Rep Power
    76


    Default Re: Possible security issue in checkout process?

    Further to this, I finally had a Canadian customer try to use the "Cheque/Money Order" option in the shopping cart payment and got the 'Forbidden' message - in order to allow that order to go (using admin/ through I edited out the extra bits added to .htaccess (paypal and Canada Post authorization), but in thinking it over I'm wondering if this line would work correctly:

    SetEnvIf Referer "^http://local\.websitename\.com" local_referral

    and also add at the end of that section:

    Allow from env=local_referral

    Now I am assuming that 'local' in this case refers to the website hosting the catalog. I had tried it as

    SetEnvIf Referer "^http://www\.websitename\.com" auth_referral

    but that didn't work.

    Suggestions?

Similar Threads

  1. Manufacturer in Checkout Process
    By millbilly in forum osCmax v2 Customization/Mods
    Replies: 2
    Last Post: 10-31-2008, 09:05 AM
  2. Security Issue
    By automotiveuk in forum osCmax v2 Installation issues
    Replies: 3
    Last Post: 09-10-2007, 05:55 AM
  3. order process email issue
    By JohnW in forum osCMax v2 Features Discussion
    Replies: 2
    Last Post: 01-06-2006, 07:39 PM
  4. OSC MS2 Security Issue 20051112 -Important to Max users?
    By kenlyle in forum osCMax v2 Features Discussion
    Replies: 4
    Last Post: 11-27-2005, 09:22 AM
  5. Checkout Process help
    By Arpit in forum osCommerce 2.2 Modification Help
    Replies: 0
    Last Post: 06-03-2003, 04:57 AM

Bookmarks

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •