[TYPO3-commerce] *SECURITY ISSUE* possible Hack of paypal2ogone extension

[Ingo Schmitt]

Hi Thibaut,
hi Martin,

I've followed the discussion here and I have already a concept, how we 
can prevent the change of "an order in checkout process (pi3)" generally 
in commerce. Although it should be only a small change in PI3, we have 
to test it carefully.

My plan is, to provide a Patch against the actual Commerce version for 
pi3 very soon, would you be able to test the patch in your installations?

Please give me a private mail is (at) matketing - factory (dot) de, 
where I could send the patch.

ingo



> Hello Martin,
> I just realize how stupid it was to talk about security issues on a 
> public list (especially when it is about money transactions). I'm 
> sincerely sorry.
> 
> I read that paypal2commerce now checks if the payment which is done via 
> paypal is the same as the payment which should be paid.
> I have downloaded the update and just tested it and I see the error 
> message when I try to "hack" it again.
> 
> The problem is that the transaction has been accepted. It should 
> actually validate the order (with the data as it was when customer was 
> redirected to paypal).
> 
> But I think this will need further development. I fear that it will 
> require database insert... which makes me also fear that it will require 
> a modification of Commerce's pi3 too.
> I know that you don't have the time for such development.  I will try to 
> find a solution but I have just one question : do you think it is 
> possible to achieve this without altering Commerce's pi3 ?
> 
> Thank you for your reaction and again, I apologize for my public "how to 
> hack {insert name of extension here}". I suggest to delete my original 
> post but I don't know how to do it.
> 
> Regards,
> Thibaut


Mit freundlichen Gruessen
-- 
Ingo Schmitt                        mailto:is at marketing-factory.de
Marketing Factory Consulting GmbH   http://typo3.marketing-factory.de/
Content Management mit Typo3: Beratung - Schulung - Realisierung