Possible security issue in checkout process?

**viswablr** · 08-04-2012, 06:48 AM

Hi All,

I have installed OSCmax 2.5.2 and testing my site. I found a possible security issue. Please clarify the below situation.

1) Customer logs into 'my account'

2) Adds an item into cart

3) Presses 'Checkout' tab (One page checkout not enabled)

4) Site takes the customer through checkout_shipping.php and then checkout_payment.php

This is where I found the security issue.

After step (4), if I manually type the URL "www.storename.com/checkout_success.php", the order gets completed!!! Even before the customer makes the payment....

In one instance, I noticed that order_process email is also sent to the customer.

But in some other instances, no email was sent to the customer, but "Your order has been successfully processed" message appears to the customer.

Please clarify ....

P.S: I tested this behavious with oscmax store also (That sells the admin manual. There also, I could see similar issue)

Thanks
Viswa

**viswablr** · 08-04-2012, 07:26 AM

One more update: No need to go through any steps mentioned below.

Very simple steps:

1) Add some items into cart

2) Type the URL: http://storename.com/checkout_success.php

I am able to see "Your Order has been successfully processed" message.

regards
Viswa

Originally Posted by viswablr

Hi All,

I have installed OSCmax 2.5.2 and testing my site. I found a possible security issue. Please clarify the below situation.

1) Customer logs into 'my account'

2) Adds an item into cart

3) Presses 'Checkout' tab (One page checkout not enabled)

4) Site takes the customer through checkout_shipping.php and then checkout_payment.php

This is where I found the security issue.

After step (4), if I manually type the URL "www.storename.com/checkout_success.php", the order gets completed!!! Even before the customer makes the payment....

In one instance, I noticed that order_process email is also sent to the customer.

But in some other instances, no email was sent to the customer, but "Your order has been successfully processed" message appears to the customer.

Please clarify ....

P.S: I tested this behavious with oscmax store also (That sells the admin manual. There also, I could see similar issue)

Thanks
Viswa

**michael_s** · 08-04-2012, 09:29 AM

I see that it goes to checkout success, but the order is not properly completed and no order is stored in the database.

This is definitely a bug and it should just redirect back to the shopping cart like it does when not logged in.

**michael_s** · 08-05-2012, 03:24 PM

I have reproduced this issue and it does pose big problem.

There are several methods to approach fixing this issue. The quickest hack for immediate help would be to use .htaccess to limit access only to the domains that should be authorized to use it (localhost and your payment processors). I have tested this method and it works pretty well, but your mileage may vary.

Something like this should help:

Code:

#limit access to checkout_process.php to only authorized referring domains
<Files checkout_process.php>
SetEnvIf Referer "^http://local\.site\.com" local_referral
SetEnvIf Referer "^http://remote\.domain\.com" auth_referral
Order Deny,Allow
Deny from all
Allow from env=local_referral
Allow from env=auth_referral
</Files>

Change the domains in the following directives to any domains that legitimately need to access that file:

SetEnvIf Referer "^http://local\.site\.com" local_referral
SetEnvIf Referer "^http://remote\.domain\.com" auth_referral

**JRR** · 09-07-2012, 10:52 PM

I have been able to reproduce this problem in 2.0.25 as well.
So I'm assuming that for PayPal remote line would read:

SetEnvIf Referer "^http://remote\www\.paypal\.com" auth_referral (??)

Sorry, not clear as to exactly how that environment variable should be set...and reading (Apache definition page for SetEnvIf) just gives me a headache at this hour of the night...

Thanks!

**ridexbuilder** · 09-08-2012, 02:34 AM

Originally Posted by JRR

...So I'm assuming that for PayPal remote line would read:

Code:

SetEnvIf Referer "^http://remote\www\.paypal\.com" auth_referral

Nope.

Code:

SetEnvIf Referer "^http://www\.paypal\.com" auth_referral

Might be better to also include - 'www' is so yesterday.

Code:

SetEnvIf Referer "^https://www\.paypal\.com" auth_referral

**JRR** · 09-08-2012, 08:05 AM

Ah - the "remote"in ""^http://remote\www\.paypal\.com"" actually is the prefix of the 'remote' site (paypal.com) - in this case "www".

Thanks!

'www' may be so yesterday, but there are still many sites that aren't found without that prefix added...

**JRR** · 10-24-2012, 11:42 AM

Further to this, I finally had a Canadian customer try to use the "Cheque/Money Order" option in the shopping cart payment and got the 'Forbidden' message - in order to allow that order to go (using admin/ through I edited out the extra bits added to .htaccess (paypal and Canada Post authorization), but in thinking it over I'm wondering if this line would work correctly:

SetEnvIf Referer "^http://local\.websitename\.com" local_referral

and also add at the end of that section:

Allow from env=local_referral

Now I am assuming that 'local' in this case refers to the website hosting the catalog. I had tried it as

SetEnvIf Referer "^http://www\.websitename\.com" auth_referral

but that didn't work.

Suggestions?