[TYPO3-commerce] *SECURITY ISSUE* possible Hack of paypal2ogone extension

[ingo schmitt]

Hi Thibaut,
hi List,

during the last days we have tracker this issue and have provided a fix,
so please checkout the latest 0.9.4 from the SVN. In the extension
configuration you could set the basket to Readonly if the user is in the
checkout process. An new Version will be soon in TER.

But let me point this out: During the Checkout the user goes through
different steps, and if the payment is not made within on step, or the
user is redirected to an other site, the implementation of the payment
must take care of such an issue. Since normally, the basket is editable,
you could change the basket in an second window during the checkout.

If your are programming payments with more than one step, of including 
redirecting to external gateways, your should have a look at the new 
methods in tx_commerce_basket which allows to to set a basket to 
readlony and release this lock. Normally you should set the basket to 
readonly, just before pointing the user to the payment and release the 
lock after finishing.

If a basket is locked, it'll be automatically released during the 
finishing of the basket.

Ingo


> Hello list,
> I think I found a possible security breach in the paypal2commerce extension.
> I decided to post it here as I suppose that most of us are interested in
> that extension too.
> Let me describe the process : 
> 
> 1) I add an article to my basket and then proceed to checkout, chosing
> Paypal as method ; I go to the payment step, which makes me log in on Paypal
> site. I log in, but I don't confirm payment yet.
> 2) Then I open a new browser window and I go to the shop. There, my basket
> is still available; I add articles to my basket.
> 3) I return to my Paypal browser window and now I confirm the payment. 
> 4) I'm redirected to the shop that confirms my order with the data of the
> LATEST basket, not the one I paid !
> 
> So the result of this is a regular order record in the database ; with a
> valid Token payment, but not with correct articles! So if the merchant
> doesn't check his bank transfers for each order, he will not realize that
> the transferred amount doesn't match the order record in Commerce...  he
> could lose a lot of money. 
> 
> I think this can be very dangerous and I don't really know how to fix it. I
> guess it happens because paypal2commerce receives the data from the
> session... even if session has changed. 
> 
> One solution would be to "freeze" the session data until payment
> confirmation... but I don't know how to do it and I also don't want the
> customer to have his session "locked" just because he aborted payment
> process.
> 
> It seems to me that the only safe place to retrieve the data is finally the
> dataBase. Problem is that Commerce inserts the data only AFTER payment
> confirmation. 
> 
> So the solution would be to make paypal2commerce insert the order into the
> database just before redirecting the customer to Paypal (maybe with the
> "hide" flag checked until payment confirmation); and then also use the data
> from dataBase instead of session to update the record (in "updateOrder"
> function) when the customer is redirected back to the shop confirmation.
> The problem of that solution is that I have no idea how to automatically
> delete records of unconfirmed (and old) payments.
> 
> Are my suppositions correct? If yes, how can I make paypal2commerce make the
> "preinsert" into DB and update it correctly (and also avoid that Commerce
> creates a duplicate record) ?
> If my suppositions are not correct, then I'm lost hehe
> 
> [PS]: maybe using the field tstamp of table tx_commerce_baskets could be an
> option? I mean that the confirmation process could still use session data,
> but filter the articles with a timestamp smaller than another timestamp
> session variable that would be initiated when the customer is redirected to
> Paypal site.
> 
> Any ideas would be very helpful, thank you. 
> 
> 


Mit freundlichen Gruessen
-- 
Ingo Schmitt                        mailto:is at marketing-factory.de
Marketing Factory Consulting GmbH   http://typo3.marketing-factory.de/
Content Management mit Typo3: Beratung - Schulung - Realisierung