Got a question here. We sell instant downloadable designs. How can someone pay with PayPal, return to our site and download designs without even posting a payment to PayPal. I called PayPal and that transaction doesn't even exist. Also I'e implemented a measure where single order over $100 would be blocked (we sell $3.99 files and orders like that are very unusual) and Hacker was able to bypass that too.
Does anyone have any ideas?
PayPal standard?
Interesting! They might use the callback with fake data to fool oc the order was successful. You can check the apache logs for such activity.
You could set the complete status to pending to prevent immediate access to downloadables or restrict the callback to paypal's IP.
This is just conjecture, it would need some checking to see what's really going on.
Interesting! They might use the callback with fake data to fool oc the order was successful. You can check the apache logs for such activity.
You could set the complete status to pending to prevent immediate access to downloadables or restrict the callback to paypal's IP.
This is just conjecture, it would need some checking to see what's really going on.
Attn: I no longer provide OpenCart extensions, nor future support - this includes forum posts.
Reason: OpenCart version 3+ 
Thanks!
A few months ago, my friend developed an integration for a certain payment gateway here in asia.
We done a test order by completing a checkout and the order status is set to pending.
To be able to automatically set the order to complete, there are certain steps the payment gateway requires.
But before we did that, my friend replicated the postback using a Rest Client in chrome by getting the hash key from the URL link when the return from the payment gateway was done.
Successfully doing so, somewhere either Opencart or the payment gateway has vulnerability which we never concluded where it was.
The exploitation was done by getting the hashkey from the URL link. And we use the haskey to do postback via rest client
This could be the same vulnerability.
We done a test order by completing a checkout and the order status is set to pending.
To be able to automatically set the order to complete, there are certain steps the payment gateway requires.
But before we did that, my friend replicated the postback using a Rest Client in chrome by getting the hash key from the URL link when the return from the payment gateway was done.
Successfully doing so, somewhere either Opencart or the payment gateway has vulnerability which we never concluded where it was.
The exploitation was done by getting the hashkey from the URL link. And we use the haskey to do postback via rest client
This could be the same vulnerability.
What version of OpenCart and which PayPal payment extension are you using? Have you switch on debug messages for that module?dmitryp wrote: ↑Sat Jun 24, 2017 4:39 amGot a question here. We sell instant downloadable designs. How can someone pay with PayPal, return to our site and download designs without even posting a payment to PayPal. I called PayPal and that transaction doesn't even exist. Also I'e implemented a measure where single order over $100 would be blocked (we sell $3.99 files and orders like that are very unusual) and Hacker was able to bypass that too.
Does anyone have any ideas?
The PayPal standard module does send the callback to PayPal for validating. Which I think is to protect against that sort of thing. https://github.com/opencart/opencart/bl ... #L115-L134artcore wrote: ↑Sat Jun 24, 2017 3:02 pmPayPal standard?
Interesting! They might use the callback with fake data to fool oc the order was successful. You can check the apache logs for such activity.
You could set the complete status to pending to prevent immediate access to downloadables or restrict the callback to paypal's IP.
This is just conjecture, it would need some checking to see what's really going on.
Who is online
Users browsing this forum: No registered users and 92 guests
