Important Fix for Paypal Users
Written by Thomas Kahl   
Thursday, 24 March 2011 15:31

Today Fabian Petzold from fpCOM - IT Professional informed us about a security problem in the notify.php of the paypal payment module. Together with our friends at Sobi / Sigsiu.NET we could reproduce this problem: it is possible to change the order status to "confirmed" (=payed) without really paying the order through paypal.

I will not describe how this can be done ;-) but all notify.php versions are affected (not the new paypal express api!). We have created a patch for this problem (for Joomla 1.5.x!). This is new and tested only on some sites. So, if you use this patch, please try a purchase on your site to see if normal transactions are handled correctly. We have given this patch to the Virtuemart Team for testing and releasing an update.

Edit the file /administrator/components/com_virtuemart/notify.php. Go to line 310. This should be the line before this comment:

//--------------------------------------------------------
// If connected OK, write the posted values back, then...
//--------------------------------------------------------

Insert the following code between the closing bracket and the comment:

 

// VM-Expert fix: do not allow transactions in sandbox without Debug-Mode   
    elseif(JRequest::getInt('test_ipn')==1 && PAYPAL_DEBUG != "1") {
	    $res = "FAILED";
        
	    $mailsubject = "PayPal Sandbox Transaction without Debug-Mode";
	    $mailbody = "Hello,
	    A fatal error occured while processing a paypal transaction.
	    ----------------------------------
	    Hostname: $hostname
	    URI: $uri
	    A Paypal transaction was made using the sandbox without your site in Paypal-Debug-Mode";
	    vmMail($mosConfig_mailfrom, $mosConfig_fromname, $debug_email_address, $mailsubject, $mailbody );
    }
    
 // VM-Expert fix: end

With this patch it is not allowed to call the notify from a sandbox transaction without the debug mode switched on. The Shop-Admin will be informed by mail that this has been tried.
If you have any problems using this patch, please contact us or write a comment on this page.

If you are using Joomla 1.0.x, replace the string

JRequest::getInt('test_ipn')

 with the following:

trim(stripslashes($_POST['test_ipn']))
Trackback(0)
Comments (1)Add Comment
thank you, Thank you for the fix
April 06, 2011     

Write comment
smaller | bigger

security code
Write the displayed characters


busy
 

Blog Newsletter

Blog RSS-Feed Click here

Subscribe to our Blog Newsletter

Enter your email address:

Delivered by FeedBurner