PDA

View Full Version : Paypal IPN v2.4 not working when temp folder is 755



choconick
06-03-2010, 08:35 AM
hi guys,

I have an issue here, I have an error when checkout, to paypal page using Credit/Debit Card (via PayPal) module in oscmax 2.0.25.

Paypal return:
We were unable to decrypt the certificate id.

the error occurred when /temp folder permission set to 755
it was fine when /temp folder permission set to 777

I read the wiki tutorial that folder should set to 755 to be secured.
what should I do to fix it.

Appreciate any help.

ridexbuilder
06-03-2010, 02:18 PM
the error occurred when /temp folder permission set to 755
it was fine when /temp folder permission set to 777

I read the wiki tutorial that folder should set to 755 to be secured.

To answer this specific bit:
If you require ANY folder to be 777, then you are not running a secure PHP server.

michael_s
06-03-2010, 02:38 PM
This means you are running modphp instead of php-fastcgi (or cgi) or suphp. The recommended config is suphp for simplicity. If you have root access, you can make the needed ownership changes with mod-php to allow tighter overall permissions, but just know that if you run any directory as world writable (777) it is not a matter of if you get hacked, but a matter of when.

choconick
06-03-2010, 04:09 PM
The webhosting service I'm using is with ISP and was told the server use mod php.
I saw:
Module Directory: /usr/local/pem/vhosts/123456/webspace/httpdocs/catalog/includes/modules/payment/

and I can only access /webspace/httpdocs...
I guess I do not have root access.

I refer to wikidoc, suphp permission setting:


Files should be CHMOD to a maximum of 600.
Both configure files should be a maximum of 400

is that what I have to do while maintain the security level?
will it fix my paypal issue ?

ridexbuilder
06-03-2010, 04:30 PM
Your best course of action is to get your hosting provider to configure the server for suphp, or move provider. The alternative is to relax your file settings and (as Michael says) wait until your site gets cracked.

choconick
06-03-2010, 04:52 PM
"get your hosting provider to configure the server for suphp"

what should I tell them specifically?

choconick
06-03-2010, 09:45 PM
I may simply just disable the "Enable Encrypted Web Payments" option.
what security issue might I face if I have this one off?

michael_s
06-04-2010, 09:13 AM
"get your hosting provider to configure the server for suphp"

what should I tell them specifically?

Ask nicely! If you are on a shared server, ask if they run any shared servers with suphp. If they do, ask to be moved to one of those servers. If not, you are out of luck regarding file permissions.


I may simply just disable the "Enable Encrypted Web Payments" option.
what security issue might I face if I have this one off?

It is completely un-necessary to enable and you are not exposing the customer data to any risk at all by disabling. The entire transaction is handled via ssl anyway, so it is already encrypted.