[TYPO3-commerce] *SECURITY ISSUE* possible Hack of paypal2ogone extension
Thibaut van de Mortel
tibo at goutemesdisques.com
Wed Dec 12 16:30:31 CET 2007
I'm sorry for the wrong title of the initial post : this post concerns
paypal2commerce. It also concerns indirectly Commerce and its payment
handling as Commerce uses by default the session data to feed payment
method.
Using the basket table isn't an option as records are fully deletable by
customers.
So I'm turning back to the only solution I can see : insert the record
in the database just before redirect the customer to Paypal. And then
use that data to update the record after payment confirmation instead of
using untrustable session data.
I will try to get in touch with the author to inform him about the issue.
Any idea will still be very helpfull, thank you.
More information about the TYPO3-project-commerce
mailing list