WorldPay Module for ZenCartv1.3x

I can confirm this is a very serious threat that does exist... Philip is on the level and can be trusted in what he says..
I would suggest if you are using this module, that you check every transaction in your worldpay dashboard with a fine toothcomb or you disable this script until a fix is found.
I have checked via admin and nothing looks untoward in the users activity logs, so I could have easily lost over £430 if I ws not aware of this..

Thank you Philip..

I hope you are better soon.

Kind Regards
AfterHouR

I just cannot keep still over this and this is going to hurt later, but I have to thank the people that allowed me to demo this security hole.

Just to confirm, the people that have helped me only gave me their website address. No other information is needed to put orders through. I agree with AfterHour, that every transaction must be confirmed manually by logging onto worldpay, or take the module out completly, and I mean remove every trace of it, because database access is NOT needed to do this. If the developer could get in contact we might have an idea of how many people have shops with this module and how many we have to inform.

Philip.

I was very doubtful of Philip to start with but it was unfounded, he has been more than helpful to his own detriment..

I can confirm all that is needed is your website address, nothing else...

I agree with Philp that this is a critical issue...

Moderators please take action!!! this needs to be highlighted before people are defrauded.....

RegardS
AfterHouR

Couldn't agree more - I'm just glad our zen store is still in beta. Thanks again to Philip to taking the time to test and highlight this hole!!!!

I am back up for a short while at least. It gets complex and a long winded explanation but I am quite damaged just by missing my routine a bit to keep up with you guys.

there is a litle bit about my condition and type of people (some call us sufferers but I hat negative connotations) here:

http://cgi.ebay.co.uk/ws/eBayISAPI.d...m=370083525316

and it's quite a good story.

Snowy2007 & AfterHour have been great but I'm going to give you to a spanking in your personal mailboxes later.

Right, the developer has contacted me, he is not best pleased. This I can understand since I punched a hole not only through his module, but also through his SSL server and one of his clients got caught in the fallout. (Lucky though that they've had a discussion about it, otherwise I'd have 100 very expensive Xmas cards arriving by special delivery). Alan Duncan has a beta version of worldpay, it requires slightly different configuration if it is to be used on a live server within world pay.

There are ethical issues involved in posting things like this. but a) I had no luck contacting Mr Duncan and had good reason to believe that he ws not responding to emails, nor would he believe me unless I proved it on his own server. b) If I found it, and with Xmas coming up, then it's probably best that people are re-checking their transactions and not just trusting the module implicitly.

I have no access to worldpay, I found this because someone asked me to have a look at it. I have the skills to fix it, but I'd need to research worldpay a bit more and it may be that Mr Duncan can do it. I apologise if I am rude, abrasive, defensive, etc... that would be the medication and disability. I was however arrogant beforehand. I once got "moderated" for asking for money to modify a module that I had created, so I'm not really sure if I'll fix this one personally. I will need some help to do this, I have my own server but I do not have as mentioned a worldpay account. I'd love to hold down a job, but I'm a little erratic in the hours I am awake. You could read between the lines, but I'll point out the bleeding obvious, I'm so clever I can hack the module and place orders without credit card details or access to worldpay, there are other clever people out there, and they would be ordering form your websites without paying, and they could also do something else, almost guaranteed to get you guys to send the goods out.

Philip.

Good News, a couple hours ago DrByte disabled the worldpay download until someone can sort this out, I always liked him/her (you can't tell my wife's a Dr).

Well I for one don't know where to go from here, any suggestions ? Wife Swap's on the telly soon. Also Master & Commander on the far side of the world, which I think was a cracking film, I have a suspicion I may just be waiting for someone, maybe the developer to come online and tell me when he's ready to test the system out.

Philip.

well done mr clarke for exposing this flaw , I have a few clients running this mod who I am sure will be more than happy to pay for you or original author to fix this hole. I have always taken on board that any mod provided for free , is provided as is and with no warranty , and when I have needed something special , I have had it written and payed for it knowing that I am getting value for money and some backup if it does not work.

I am of the belief that the worldpay/zen community is quite large as they make it easy to get an account with them. I have no idea how to contact them all ! prehaps the mods can post up a thread and drop an admin -email to all users of Zen regardless.

I maybe on my own here , but philip , I say open up the bidding , and make the module a Pro / pay version ! ( P.S get some rest !!! )

that daisy may collection is a really customisation of zen cart, if it had a world pay module, I would certainly be buying ! Ssssh, I can't pimp for payment, I got moderated the last time, search for Ferrari 456 in the royal mail thread it should be below there somewhere. Anyone got a spare Mercedes ML class going ?

lol , yeah , I am keeping my worldpay sites hidden for the time being ! although if one of my clients doesn't pay up soon , we might need to chat !!! :-)
again personally don't see anything wrong wanting paying , zen cart team have decided to make it open source , some of us have to make a living by providing a service!

sorry cant quite stretch to a merc ! how about a sherbert dibdab ?

Alan Duncan is doing some sterling work, pushing forward the development of a beta to stop the hole, The initial results are very promising. I had an AMG S55 it was a great car but I;m sensitive to vibration and it didn't help, so I was thinking of an ML class older 4x4 with those big bouncy tyres might help. I'm basically stuck in Pinner and a 3 miles radius unless I want to spend a couple of days walking around in circles swearing, ahh ahh my legs (or other bits you really don't want to know about Complex Referred Pain Syndrome).

Now here's an idea (might have been suggested before I haven't been around here for a long time), there's going to be a lot of people that don't know about this security hole, Zencart has that little update/ check version button. How about a module that sits in zen cart and has a register of all additional modules, so that if one is updated, it goes "ping", and if there is a security issue it goes "ping ping". Shouldn't be difficult, zen cart write some module guidelines about versioning, they host the things anyway, quick post to the server every day to compare version numbers of installed modules and bob's your uncle, safety for everyone. (well at least if the people don't ignore the annoying pinging). That module would be "free" since it would be a zencart incorporated thing.

I might get round to learning how world pay works this weekend, Alan may be repairing the module, but I may have a think about some aspects of the design. I have noted someone's comments above about see if the worldpay address details differ. At the moment there is no storage of what worldpay sends back as a confirmed credit card address, so I'm pretty sure that when I "hacked" (I hate that word, I am trying to help) someone's site this morning to demonstrate the concept, I used the address snow-white.

Thanks
Philip.