[TYPO3-commerce] *SECURITY ISSUE* possible Hack of paypal2ogone extension

[Martin Holtz]

Hi Thibaut,


> I just realize how stupid it was to talk about security issues on a
> public list (especially when it is about money transactions). I'm
> sincerely sorry.
shit happens:)

> I read that paypal2commerce now checks if the payment which is done via
> paypal is the same as the payment which should be paid.
> I have downloaded the update and just tested it and I see the error
> message when I try to "hack" it again.
thanks for testing it

> The problem is that the transaction has been accepted. It should
> actually validate the order (with the data as it was when customer was
> redirected to paypal).
yep - but i had do decide between sleep and finding an real solution;)

> But I think this will need further development. I fear that it will
> require database insert... which makes me also fear that it will require
> a modification of Commerce's pi3 too.
well - i thought about an session-based solution.
Paypal sends me an unique key which i could use to identify - catching the
old data - changing the data of commerce - uhh it seems not be so easy;)

> I know that you don't have the time for such development.  I will try to
> find a solution but I have just one question : do you think it is
> possible to achieve this without altering Commerce's pi3 ?
i would think so, but we do not need - Ingo did:)


regards & special thanks to ingo too
martin

-- 
TSConfig:
http://typo3.org/documentation/document-library/references/doc_core_tsconfig/current/view/
TSRef: http://wiki.typo3.org/index.php/De:TSref
http://wiki.typo3.org/index.php/User:Maholtz
http://www.martinholtz.de