WorldPay Module version 2.0 - Support thread

Well after complaining yet again about any movement here is the response I received:

My apologies for this, to give you some background the reason these changes may not have been as satisfactory as we'd hope is that we are working to a deadline from Visa / Mastercard to become fully PCI compliant by the end of September which has been a massive operation for development and has meant that with the whitelist we have had to be more strict than is possibly necessary.

We will be revisiting any outstanding issues and working to minimize the impact as much as possible following this and I would imagine any serious problems once this goes live will be quickly addressed.

I am sorry that this has been an inconvenient time to sign up and that information has not been as clear as we would hope in this matter.

For your information our complains procedure is detailed at:
http://www.rbsworldpay.com/support/i...omplaints&c=UK

And our cancellations form at:
http://www.rbsworldpay.com/support/bg/cancellations/

I have decided to switch to InternetSecure because who knows how long this will take.

Philip, again thanks for all the work.

Khalil

Could I just please confirm something?

I processed a test payment through. I can see what happens to the Thank you page (It looks completly messed up) and I know why due to reading earlier posts.

But the payment still seemed to go through and I received both rbs and zencart email receipts to confirm this. So, am I right to say that payments still work?

If I work out how to correct the thank you page by hard coding absolute links etc then that will be the problem over?

Has anyone been able to fix their thank you page yet by hard code?

and thanks philip for your response to my earlier post and I hope there may be a way to carry on with this module.

It depends on your templating system, the removal of the base href tag and then you recoding into files may very well harm the rest of you site depending on how it is configured. There's no way to know hence why I can't issue a patch.

Philip.

Quote:

---

Originally Posted by philip_clarke

It depends on your templating system, the removal of the base href tag and then you recoding into files may very well harm the rest of you site depending on how it is configured. There's no way to know hence why I can't issue a patch.

Philip.

---

Good Morning Philip and all,

I'm not a coder and don't really know what i've done but it works for me and should work for others and i'm sure those of you who actually know what they are doing can make this work as a temp patch for everyone or maybe not, but this does work for me.

Make folder wp_callback

includes/templates/YOUR_TEMPLATE/wp_callback

Copy the following files into this folder and they will act as an override
and not overwrite the main files of the Worldpay module or other files
for that matter.





includes/templates/template_default/templates/tpl_modules_wp_checkout_cancelled.php


includes/templates/template_default/templates/tpl_modules_wp_checkout_success.php


includes/templates/template_default/common/html_header.php


includes/templates/template_default/common/tpl_header.php


includes/templates/template_default/common/tpl_footer.php


includes/templates/template_default/common/tpl_main_page.php






Copy the contents of includes/templates/YOUR_TEMPLATE/css
to
includes/templates/YOUR_TEMPLATE/wp_callback

Edit the html_header.php and hard code the location of your stylesheets

<link rel="stylesheet" type="text/css" href="http://YOUR_WEBSITE/includes/templates/YOUR_TEMPLATE/wp_callback/stylesheet.css" />
<link rel="stylesheet" type="text/css" href="http://YOUR_WEBSITE/includes/templates/YOUR_TEMPLATE/wp_callback/stylesheet_css_buttons.css" />
<link rel="stylesheet" type="text/css" media="print" href="http://YOUR_WEBSITE/includes/templates/YOUR_TEMPLATE/wp_callback/print_stylesheet.css" />

You can now edit the css sheets in order to change anything you might need to change for the Worldpay callback page.

In both the
tpl_header.php and
tpl_footer.php you can make adjustments as or if needed.



Edit tpl_main_page.php and turn off the sideboxes for this page as none of the graphics will be working anyway. Look for this
and make changes as needed.

* to turn off the header and/or footer uncomment the lines below<br />
* to turn off the left and/or right columns uncomment the lines below<br />
* $flag_disable_header = true;<br />
* $flag_disable_left = true;<br />
* $flag_disable_right = true;<br />
* $flag_disable_footer = true;<br />




I've tested this on both versions 1.3.7.1 and 1.3.8a

This override will only effect the worldpay return pages and no others so if it doesn't work for you just delete the folder or rename it and you haven't messed with any of the working files of this fine module.

I hope this helps someone as i would hate to lose this module it works perfectly for me and i would think from what i've seen here it is more secure then most if not all of the other payment modules available.

Hint 1

One thing to mentioned first. When editing files and then ftping them up, you need to have your browser open with your shopping cart page displayed with something in it and hit reload of press f5 every minute or so, this will stop your session timing out otherwise you'll end up having to log in frequently which is more time consuming to see your changes.

Hint 2

Above is a good and comprehensive guide, There is a way to test exactly what your customer will see when worldpay sucks things in.

What's not mentioned is that to see how badly screwed up worldpay makes your site, you need to remove the base href tag from

includes/templates/template_default/common/tpl_header.php

PHP Code:

---

<base href="<?php echo (($request_type == 'SSL') ? HTTPS_SERVER . DIR_WS_HTTPS_CATALOG : HTTP_SERVER . DIR_WS_CATALOG ); ?>" />

---

by changing it to

PHP Code:

---

<!--base href="<?php echo (($request_type == 'SSL') ? HTTPS_SERVER . DIR_WS_HTTPS_CATALOG : HTTP_SERVER . DIR_WS_CATALOG ); ?>" /-->
<base href="http://rbsworldpay.co.uk"  />

---

This will screw your site up ! But this way you know the exact extent of how bad the missing base href tag is and will generate lots of 404's not found over at worldpay's site, but it's the best way to see how bad things are.

The other thing to mentioned is that template_default may not be the template you are using to copy the files over to/ from the new folder, because you may already be using an overriding template. What you need to do is put

HTML Code:

---

<h1>HELLO WORLD 1</h1>

---

and then 2 and then 3 etc.... in any file you find where the folder and filename ends in

common/html_header.php

which will tell you which one to copy over.

Once you've done all of the editing it's best to still have the base href tag removed, put something in your shopping basket and go to world pay, then hit the cancel button on worldpay's website that will bring up the set of templates that you would have been editing

If the cancel page displays correctly (and you can hit f5 to refresh it if you need to reedit, and upload) then there is a good chance that you can go and make a payment in test mode and see if the final page works. The final page is ONE SHOT meaning that it will dump your shopping cart and try and redirect you, so you can't edit and then hit reload, you need to play around with the cancelled transaction page.

After you've done all this (and this is why I can't program the module to do this automatically), you can then "finally" put the base href tag back.

Philip.

Thanks Bigenuf and Philip

Your instructions will be a big help.

Philip you can't refresh the cancel page as it redirects you to another page.

Bigenuf. I've been able to use your instructions and make this work for me. Although, at the moment i've kept the head and side bars on as currently you only need to turn off whitelisting in RBS inorder to keep using the base tag until it is enforced at the end of this month. but at least I now know I can sort of fix this.

I also added my concerns to RBS worldpay and received a very quick response shown below.

Thank you for your email on 10.09.2009 about the recent changes in our system.

I am sorry that you experience issues using the payment service since we have implemented a series of changes on our platform to comply with the latest PCI DSS standards.

We are fully aware that this is effecting our customers who are using Zencart and we have highlighted that this is causing issues with the payment process.
Adding the <base href> tag onto our whitelist is currently being looked into.
Hopefully we are able to correct this issue as soon as possible. We have acknowledged your complaint and added it to list.

Well after the last email, I suggested that they forward my complaint for me to the customer service center rather than making me fill out another form. Here is the response I got:

I am sorry to hear that you are experiencing issues with the changes implemented on our platform to comply with the PCI DSS standards and that you are thinking of leaving RBS Worldpay.

I can confirm that we have acknowledged this as a complaint.

I can assure you that we are fully aware of the impact this has on the payment process of our customers using Zencart. Our development department is still in discussion about adding the <base href> tag to the whitelist. I can assure you that this is currently treated with highest priority.

I can understand that it must be frustrating and I am sorry to hear that you have the feeling that we have ignored a segment of our customer base and needs.

Please let me know if you want me to update you once a decision on adding this tag to the white list has been made.

Again though, as Philip has stated, instead of properly working with him to discuss the issues, they have instead decided to blame the module first THEN after many complaints acknowledge that they need to "discuss it". This to me is just bad customer service. If they were really interested in helping us they would initiate contact with him and resolve the issues real-time instead of discussing it among themselves.

http://www.theregister.co.uk/2009/09...ecurity_snafu/

Looks like someone found a SQLi vulnerability in rbsworldpay published similar to the XSS one I published last week.

@JasonRocket if I get time I'll teach everyone how to hack their website so that they can see the cancel page repeatedly, I was doing that this morning, but it's a bit involved.

@khalilm - if they mention PCI DSS one more time I probably kille someone, as I demonstrated here, they don't understand it, and "a bad man" (especially since just know someone published the template details and locations) could just shove a form up demanding more money on behalf of worldpay.

(note there's nothing wrong with us knowing our template details nor how to change them, in fact we should know this information)

Quote:

---

Originally Posted by JasonRocket

Thanks Bigenuf and Philip

Your instructions will be a big help.

Philip you can't refresh the cancel page as it redirects you to another page.

Bigenuf. I've been able to use your instructions and make this work for me. Although, at the moment i've kept the head and side bars on as currently you only need to turn off whitelisting in RBS inorder to keep using the base tag until it is enforced at the end of this month. but at least I now know I can sort of fix this.

I also added my concerns to RBS worldpay and received a very quick response shown below.

Thank you for your email on 10.09.2009 about the recent changes in our system.

I am sorry that you experience issues using the payment service since we have implemented a series of changes on our platform to comply with the latest PCI DSS standards.

We are fully aware that this is effecting our customers who are using Zencart and we have highlighted that this is causing issues with the payment process.
Adding the <base href> tag onto our whitelist is currently being looked into.
Hopefully we are able to correct this issue as soon as possible. We have acknowledged your complaint and added it to list.

---

It appears they have 2 deadline dates.

September 23rd 2009: we will activate our list of permitted HTML tags for all live payment pages for all customers. At this point any visual impairment to the design of your payment pages caused by the measures we are taking to prevent cross site scripting will be visible to your shoppers. If this causes an issue for your payment pages you can remove the list from your installation via our Merchant Interface(see Disabling and Re enabling Whitelist in Technical Notes below) up until the 14th October 2009 from when all installations will work with the list of permitted HTML tags without exception.

We will update you with further details nearer the time letting you know when to start reviewing your payment pages in the Test and Production environment.

And thanks Philip for the input. Like i said i'm not a coder and don't pretend to be i just make things work for me.
As a last resort with the overrides might we be able to just make a generic page that customers come back to with the RBS logo and anyone who has the skill or wants to change that page they can but at least this will keep the module going.
This module functions great even with the whitelisting and a customer coming back to a messed up page the mechanics of the module still do their job.

Quote:

---

Originally Posted by Bigenuf

It appears they have 2 deadline dates.

September 23rd 2009: we will activate our list of permitted HTML tags for all live payment pages for all customers. At this point any visual impairment to the design of your payment pages....

---

I think everyone should just knock off their base href tag and have a loko at exactly what that means and how bad a big long list of blue links on a white page with no images looks. In fact it's screen grab time.

This is what worldpay will do to your site

This is how it appears in any browser after your customers have paid as you and shows each scroll down the page.

http://3xlock.com/zc_rbs_destroyed_layout.png

http://3xlock.com/zc_rbs_destroyed_layout1.png

http://3xlock.com/zc_rbs_destroyed_layout2.png

http://3xlock.com/zc_rbs_destroyed_layout3.png

http://3xlock.com/zc_rbs_destroyed_layout4.png

http://3xlock.com/zc_rbs_destroyed_layout5.png

http://3xlock.com/zc_rbs_destroyed_layout6.png

Quote:

---

Originally Posted by Bigenuf

As a last resort with the overrides might we be able to just make a generic page that customers come back to with the RBS logo and anyone who has the skill or wants to change that page they can but at least this will keep the module going.

---

The last resort looks probable, I can almost certainly give an option to dump everything except a central link and table with the "receipt" inside it with black text, white background, possibly the shop logo, and a blue text link back to the front page. It'd dump the templating system all together. I may even be able to stick an option in the module to enable that page so people could have something temporary as a holding place while they sort out the base href tag. Sounds like something I should be working on. Good Idea that man or woman Bigenuf, now explain to my 6 year old about his Birthday party and why Daddy isn't there.

Philip.