[TYPO3-commerce] *SECURITY ISSUE* possible Hack of paypal2ogone extension

[daTib]

Hello list,
I think I found a possible security breach in the paypal2commerce extension.
I decided to post it here as I suppose that most of us are interested in
that extension too.
Let me describe the process : 

1) I add an article to my basket and then proceed to checkout, chosing
Paypal as method ; I go to the payment step, which makes me log in on Paypal
site. I log in, but I don't confirm payment yet.
2) Then I open a new browser window and I go to the shop. There, my basket
is still available; I add articles to my basket.
3) I return to my Paypal browser window and now I confirm the payment. 
4) I'm redirected to the shop that confirms my order with the data of the
LATEST basket, not the one I paid !

So the result of this is a regular order record in the database ; with a
valid Token payment, but not with correct articles! So if the merchant
doesn't check his bank transfers for each order, he will not realize that
the transferred amount doesn't match the order record in Commerce...  he
could lose a lot of money. 

I think this can be very dangerous and I don't really know how to fix it. I
guess it happens because paypal2commerce receives the data from the
session... even if session has changed. 

One solution would be to "freeze" the session data until payment
confirmation... but I don't know how to do it and I also don't want the
customer to have his session "locked" just because he aborted payment
process.

It seems to me that the only safe place to retrieve the data is finally the
dataBase. Problem is that Commerce inserts the data only AFTER payment
confirmation. 

So the solution would be to make paypal2commerce insert the order into the
database just before redirecting the customer to Paypal (maybe with the
"hide" flag checked until payment confirmation); and then also use the data
from dataBase instead of session to update the record (in "updateOrder"
function) when the customer is redirected back to the shop confirmation.
The problem of that solution is that I have no idea how to automatically
delete records of unconfirmed (and old) payments.

Are my suppositions correct? If yes, how can I make paypal2commerce make the
"preinsert" into DB and update it correctly (and also avoid that Commerce
creates a duplicate record) ?
If my suppositions are not correct, then I'm lost hehe

[PS]: maybe using the field tstamp of table tx_commerce_baskets could be an
option? I mean that the confirmation process could still use session data,
but filter the articles with a timestamp smaller than another timestamp
session variable that would be initiated when the customer is redirected to
Paypal site.

Any ideas would be very helpful, thank you. 


-- 
View this message in context: http://www.nabble.com/*SECURITY-ISSUE*-possible-Hack-of-paypal2ogone-extension-tp14288020p14288020.html
Sent from the TYPO3 - Projects - Commerce mailing list archive at Nabble.com.