Page 1 of 1
change price before sending to Paypal
Posted: Wed Nov 11, 2015 10:57 am
by dklein
Can't seem to find much info on what seem like a very simple exploit in v1.5.5.1
Using Paypal standard, at step 6 of checkout, a user can 'inspect elements' of the 'confirm order' button with their web browser and change the price of items before clicking 'confirm order' and sending to Paypal e.g. set price to $0.01. The transaction is successful and appears as normal in opencart but checking the paypal account, the edited price is what has actually been processed.
Re: change price before sending to Paypal
Posted: Wed Nov 11, 2015 5:08 pm
by inactiveaccount9912
At callback the order total and the paid total are compared and if they dont match the order is not marked as complete.
Re: change price before sending to Paypal
Posted: Thu Nov 12, 2015 4:47 am
by dklein
Yes, that's what one would hope for but not the case.
Apparently this is a very old problem - see this
https://www.paypal-community.com/t5/Abo ... anguage=en
Also written about here with a link to a solution
http://www.antropy.co.uk/blog/paypal-st ... art-1-5-x/
I have installed this and it works (had to configure IPN address to my website I think)
But really? This has been around since 2012 without being addressed? Did I miss something?
Re: change price before sending to Paypal
Posted: Thu Nov 12, 2015 11:16 pm
by inactiveaccount9912
The totals do get compared in opencart, please check the code of the pp standard controller and you will se the check is made.
Re: change price before sending to Paypal
Posted: Fri Nov 20, 2015 2:10 am
by dklein
florinsith wrote:The totals do get compared in opencart, please check the code of the pp standard controller and you will se the check is made.
would you mind pointing out where that is? It's definitely not working if it's there.
I purchased a small vqmod that runs the check but it's getting caught up in rounding errors and currency conversion where the amounts don't match exactly. Perhaps if I can see the original checkpoint it will help sort it out.
From what I can see (I'm not a developer) it checks for a successful paypal transaction but doesn't verify the amount. So a successful transaction for $0.01 will be good enough to pass the check.
Re: change price before sending to Paypal
Posted: Sun Nov 22, 2015 4:51 pm
by inactiveaccount9912
catalog/controller/payment/pp_standard.php:
Code: Select all
if ((strtolower($this->request->post['receiver_email']) == strtolower($this->config->get('pp_standard_email'))) && ((float)$this->request->post['mc_gross'] == $this->currency->format($order_info['total'], $order_info['currency_code'], $order_info['currency_value'], false))) {
$order_status_id = $this->config->get('pp_standard_completed_status_id');
} else {
$this->log->write('PP_STANDARD :: RECEIVER EMAIL MISMATCH! ' . strtolower($this->request->post['receiver_email']));
}
Re: change price before sending to Paypal
Posted: Thu Nov 26, 2015 1:26 pm
by dklein
This is a gaping hole in security that has never been addressed. Confirmed by Daniel Kerr himself 3 years later. And still not taken care of. What a piece of crap Opencart is.
Re: change price before sending to Paypal
Posted: Thu Nov 26, 2015 3:38 pm
by dklein
By the way, the 'fix' that Daniel Kerr posted at
http://www.antropy.co.uk/blog/paypal-st ... art-1-5-x/ doesn't work. Just leaves everything in pending status. 3 years later he can't even get that right.
Re: change price before sending to Paypal
Posted: Mon Oct 31, 2016 1:42 am
by IP_CAM
3 Years, that's only about 1'100 days, so, what's the hurry ?!
Ernie