PayPal Standard Hacked?

Apparently in 2015 PayPal sent out an alert of a issue with PayPal Standard on OpenCart 1.5 but I must have missed the memo We have been using PP standard for nearly 10 years without an issue (we hope).

A couple of days ago we had a $1000 sale on our 2.3.0.2 site though PP standard.. Great! Then a routine check of our PP account we discovered the buyer had only paid PP $23 for the $1000 item WTF?? Fortunately we hadn't sent it. It was still on the back of the couriers van. We contacted PP and this was the response:

Back in 2015, PayPal was alerted of a vulnerability that affect OpenCart v1.5 carts. Essentially at the checkout page, the buyer can open a HTML coding path and change the amount of the product. Both PayPal and OpenCart alerted people at the time, but obviously many years have passed since then.
I don’t know what version of OpenCart you have but here is a link that discussed that event, and a potential quick fix for you. This is all done from OpenCart’s site as they are the ones that had the vulnerability: https://www.antropy.co.uk/blog/paypal-s ... art-1-5-x/

Anyway it seems its still an issue with 2.3.0.2. and hopefully no longer a problem with 3.0.3.0 which we are soon upgrading to. If you are still using PP Standard don't, move to PP Express as it has better security so they tell us.

Ozfarmer wrote: ↑

Fri Mar 08, 2019 3:13 pm

Anyway it seems its still an issue with 2.3.0.2.

Nope, it's not. In OC 2 it checks for total amount and returns "TOTAL PAID MISMATCH!" error.

OpenCart 1.5.x has always had the code in to detect the amount being changed in the payment form. It's just that there were never clear instructions on how to correctly configure the order statuses. The mistake often made is the standard OpenCart Order Status setting is not set to a clear value. I would recommend creating a new order status such as 'Exception' or 'Check' and setting it to that.

Other payment modules are also affected by the same problem, if they use an HTML form to post the order details.

Thanks for the replies, they assume we are using v1.5x but we are not, we are using v2.3.0.2? https://prnt.sc/mv8ko7

No, my reply assumes, that you're using OC 2. Sorry, but it works just fine.

Ozfarmer wrote: ↑

Sat Mar 09, 2019 5:40 am

Thanks for the replies, they assume we are using v1.5x but we are not, we are using v2.3.0.2? https://prnt.sc/mv8ko7

The same advice applies to 2.3.0.2. Set the default Order Status setting something you are not using in the PayPal Standard module and that you will recognise as knowing that the order and payment needs checking.