Can't seem to find much info on what seem like a very simple exploit in v1.5.5.1
Using Paypal standard, at step 6 of checkout, a user can 'inspect elements' of the 'confirm order' button with their web browser and change the price of items before clicking 'confirm order' and sending to Paypal e.g. set price to $0.01. The transaction is successful and appears as normal in opencart but checking the paypal account, the edited price is what has actually been processed.
At callback the order total and the paid total are compared and if they dont match the order is not marked as complete.
Yes, that's what one would hope for but not the case.
Apparently this is a very old problem - see this https://www.paypal-community.com/t5/Abo ... anguage=en
Also written about here with a link to a solution http://www.antropy.co.uk/blog/paypal-st ... art-1-5-x/
I have installed this and it works (had to configure IPN address to my website I think)
But really? This has been around since 2012 without being addressed? Did I miss something?
Apparently this is a very old problem - see this https://www.paypal-community.com/t5/Abo ... anguage=en
Also written about here with a link to a solution http://www.antropy.co.uk/blog/paypal-st ... art-1-5-x/
I have installed this and it works (had to configure IPN address to my website I think)
But really? This has been around since 2012 without being addressed? Did I miss something?
The totals do get compared in opencart, please check the code of the pp standard controller and you will se the check is made.
would you mind pointing out where that is? It's definitely not working if it's there.florinsith wrote:The totals do get compared in opencart, please check the code of the pp standard controller and you will se the check is made.
I purchased a small vqmod that runs the check but it's getting caught up in rounding errors and currency conversion where the amounts don't match exactly. Perhaps if I can see the original checkpoint it will help sort it out.
From what I can see (I'm not a developer) it checks for a successful paypal transaction but doesn't verify the amount. So a successful transaction for $0.01 will be good enough to pass the check.
catalog/controller/payment/pp_standard.php:
Code: Select all
if ((strtolower($this->request->post['receiver_email']) == strtolower($this->config->get('pp_standard_email'))) && ((float)$this->request->post['mc_gross'] == $this->currency->format($order_info['total'], $order_info['currency_code'], $order_info['currency_value'], false))) {
$order_status_id = $this->config->get('pp_standard_completed_status_id');
} else {
$this->log->write('PP_STANDARD :: RECEIVER EMAIL MISMATCH! ' . strtolower($this->request->post['receiver_email']));
}
By the way, the 'fix' that Daniel Kerr posted at http://www.antropy.co.uk/blog/paypal-st ... art-1-5-x/ doesn't work. Just leaves everything in pending status. 3 years later he can't even get that right.
3 Years, that's only about 1'100 days, so, what's the hurry ?!
Ernie
Ernie
My Github OC Site: https://github.com/IP-CAM
5'200 + FREE OC Extensions, on the World's largest private Github OC Repository Archive Site.
Who is online
Users browsing this forum: No registered users and 111 guests