Post by Ozfarmer » Fri Mar 08, 2019 3:13 pm

Apparently in 2015 PayPal sent out an alert of a issue with PayPal Standard on OpenCart 1.5 but I must have missed the memo :( We have been using PP standard for nearly 10 years without an issue (we hope).

A couple of days ago we had a $1000 sale on our 2.3.0.2 site though PP standard.. Great! Then a routine check of our PP account we discovered the buyer had only paid PP $23 for the $1000 item WTF?? Fortunately we hadn't sent it. It was still on the back of the couriers van. We contacted PP and this was the response:

Back in 2015, PayPal was alerted of a vulnerability that affect OpenCart v1.5 carts. Essentially at the checkout page, the buyer can open a HTML coding path and change the amount of the product. Both PayPal and OpenCart alerted people at the time, but obviously many years have passed since then.
I don’t know what version of OpenCart you have but here is a link that discussed that event, and a potential quick fix for you. This is all done from OpenCart’s site as they are the ones that had the vulnerability: https://www.antropy.co.uk/blog/paypal-s ... art-1-5-x/


Anyway it seems its still an issue with 2.3.0.2. and hopefully no longer a problem with 3.0.3.0 which we are soon upgrading to. If you are still using PP Standard don't, move to PP Express as it has better security so they tell us.

Active Member

Posts

Joined
Wed Aug 17, 2011 7:08 pm
Location - Australia

Post by thekrotek » Fri Mar 08, 2019 4:03 pm

Ozfarmer wrote:
Fri Mar 08, 2019 3:13 pm
Anyway it seems its still an issue with 2.3.0.2.
Nope, it's not. In OC 2 it checks for total amount and returns "TOTAL PAID MISMATCH!" error.

Professional OpenCart extensions, support and custom work.
Contact me via email or Skype by support@thekrotek.com


User avatar
Expert Member

Posts

Joined
Sun Jul 03, 2016 12:24 am


Post by ADD Creative » Fri Mar 08, 2019 11:20 pm

OpenCart 1.5.x has always had the code in to detect the amount being changed in the payment form. It's just that there were never clear instructions on how to correctly configure the order statuses. The mistake often made is the standard OpenCart Order Status setting is not set to a clear value. I would recommend creating a new order status such as 'Exception' or 'Check' and setting it to that.

Other payment modules are also affected by the same problem, if they use an HTML form to post the order details.

www.add-creative.co.uk


Expert Member

Posts

Joined
Sat Jan 14, 2012 1:02 am
Location - United Kingdom

Post by Ozfarmer » Sat Mar 09, 2019 5:40 am

Thanks for the replies, they assume we are using v1.5x but we are not, we are using v2.3.0.2? https://prnt.sc/mv8ko7

Active Member

Posts

Joined
Wed Aug 17, 2011 7:08 pm
Location - Australia

Post by thekrotek » Sat Mar 09, 2019 6:13 am

No, my reply assumes, that you're using OC 2. Sorry, but it works just fine.

Professional OpenCart extensions, support and custom work.
Contact me via email or Skype by support@thekrotek.com


User avatar
Expert Member

Posts

Joined
Sun Jul 03, 2016 12:24 am


Post by ADD Creative » Mon Mar 11, 2019 3:23 am

Ozfarmer wrote:
Sat Mar 09, 2019 5:40 am
Thanks for the replies, they assume we are using v1.5x but we are not, we are using v2.3.0.2? https://prnt.sc/mv8ko7
The same advice applies to 2.3.0.2. Set the default Order Status setting something you are not using in the PayPal Standard module and that you will recognise as knowing that the order and payment needs checking.

www.add-creative.co.uk


Expert Member

Posts

Joined
Sat Jan 14, 2012 1:02 am
Location - United Kingdom
Who is online

Users browsing this forum: No registered users and 14 guests