[TYPO3-commerce] *SECURITY ISSUE* possible Hack of paypal2ogone extension
Ingo Schmitt
mailinglisten at i-schmitt.de
Thu Dec 13 11:58:42 CET 2007
Hi Thibaut,
hi Martin,
I've followed the discussion here and I have already a concept, how we
can prevent the change of "an order in checkout process (pi3)" generally
in commerce. Although it should be only a small change in PI3, we have
to test it carefully.
My plan is, to provide a Patch against the actual Commerce version for
pi3 very soon, would you be able to test the patch in your installations?
Please give me a private mail is (at) matketing - factory (dot) de,
where I could send the patch.
ingo
> Hello Martin,
> I just realize how stupid it was to talk about security issues on a
> public list (especially when it is about money transactions). I'm
> sincerely sorry.
>
> I read that paypal2commerce now checks if the payment which is done via
> paypal is the same as the payment which should be paid.
> I have downloaded the update and just tested it and I see the error
> message when I try to "hack" it again.
>
> The problem is that the transaction has been accepted. It should
> actually validate the order (with the data as it was when customer was
> redirected to paypal).
>
> But I think this will need further development. I fear that it will
> require database insert... which makes me also fear that it will require
> a modification of Commerce's pi3 too.
> I know that you don't have the time for such development. I will try to
> find a solution but I have just one question : do you think it is
> possible to achieve this without altering Commerce's pi3 ?
>
> Thank you for your reaction and again, I apologize for my public "how to
> hack {insert name of extension here}". I suggest to delete my original
> post but I don't know how to do it.
>
> Regards,
> Thibaut
Mit freundlichen Gruessen
--
Ingo Schmitt mailto:is at marketing-factory.de
Marketing Factory Consulting GmbH http://typo3.marketing-factory.de/
Content Management mit Typo3: Beratung - Schulung - Realisierung
More information about the TYPO3-project-commerce
mailing list