WorldPay Module for ZenCartv1.3x

[philip_clarke]

Bugger,

Totally forgot, someone asked me about getting worldpay to work with PHP5, at the moment it's simple, in you php.ini file there is a line

Code:

register_long_arrays = Off

change that to

Code:

 register_long_arrays = On

restart apache and the current module will work, except you can't download it because until this bug is fixed it's been disabled. but anyway, I've seen the beta and it looks PHP5 compatible. Turning on register_long_arrays will slow down/ use more memory on an overworked server too.

Thanks
Philip.

[duncanad]

OK folks - I'm back!

Been very very busy lately so have not been around the forums. Also I haven't had much to add since the module works fine if the host server maintains sessions. PHP5 is another issue but Philip seems to have a solution to that.

Regarding the SECURITY HOLE. It is real and does exist and needs to be closed. Also current users need to be vigilant and check that, before fulfilling any orders, the appropriate payment has gone through their WorldPay account.

The good news is that I have a fix and so far Philip has not been able to break it. It's a fairly simple fix but needs a little tidying up and some further testing before release.

Be back soon with download details.

Regards,

Alan

[philip_clarke]

I think hats off to Alan for having "sorted" the initial hole (I though of a better word, EXPLOIT), so far in basic testing the new module is a real gem of programming and Alan has done exceptionally well in this short time scale.

Even better is that I did not give him my code, he's a clever bunny that one, once he was told the theory, he worked out how it was being done and patched it without being able to test. The would be the programming equivalent of dodging a bullet blindfolded wearing ear plugs, after having been turned around a couple of times and the gun would have a silencer on it. Give the man a sausage.

Now all we have to do is work out how to tell every zencart worldpay shop, to upgrade.

[snowy2007]

Give the man a sausage.

Can I have a sausage too for being to the first to believe you - lincolnshire would be nice! :)

Now all we have to do is work out how to tell every zencart worldpay shop, to upgrade.

How about we talk to Worldpay and ask them to email their customers?

[philip_clarke]

Actually Snowy2007, you were great in helping me prove the concept, you probably deserve a sausage that is at least 80% meat.

Is your worldpay account in test mode, still ? (PM me) Because I found another entirely different exploit which I've confirmed with Alan (and I have asked him nicely to confirm this, as people have been offering me gainful employment, and I wouldn't want anyone to think I was a one-hit wonder).

AfterHour, he was great too, cynical, but I don't hold a sausage against him.

Philip.

[philip_clarke]

Good Evening.

The second exploit is live and out there too, and is different from the first. Alan will be addressing it in the next version BUT there is a workaround for the second one.

The current advice is to either disable worldpay or to check for the confirmation emails or check the account. AfterHour should be able to confirm, that I have ordered about £80 of items from his shop but only paid 1 pence for the goods, he also received a confirmation email from WordPay that if he did not read carefully, he would have thought the transaction was fully paid up. It would only be spotted in careful reading and going to the worldpay account.

The current advice for anyone with worldpay installed is to carefully check your worldpay account by logging on and confirming the amount paid corresponds to what zencart is telling you. The workaround for the second exploit it to use MD5. These instructions have been provided for me by Carl Stone, who has been helping my research by allowing me to run test transactions through his server. Note at all times I have never been able to access the admin section, nor do I require administrative passwords, this is a critical exploit as it can be done on any zencart with worldpay. The advice for turning on MD5 is as follows:

Ok, in the worldpay system settings you go to integration setup (you have to go to "production" first), then set your password in "MD5 secret for transactions" and save. You then switch to Test and do the same making sure you save after each change. [ this section in italics may only be if you are using the test mode as well as production, I believe - Philip ]

In Alan's module the is an MD5 field where you add the same password, you also have to set MD5 to True in another field.

Thank you Carl - aka snow-man
Thank you AfterHour - sorry I had to demo it on your server again but I had to make sure it was in the wild and that it wasn't anything I had introduced while working through the module with Carl.

[philip_clarke]

I'm sorry but I had to do this, blame my sense of humour and Duncanad's Signature. I'll tell you about the penguins, bear in mind they are almost 10 years old and the code even works in Google Chrome without modfication since it was originally written in Javascript. You can check this on the internet archive, they used to be on bouncing.org's front page (the way back machine appears to be overloaded for most of today).
##############################___
########################.co.uk, exploiting IT for Business
also ########################.com for America and ######################## for YOU

[rued]

Hm ... I don't think this is very special for WorldPay alone, it applies to most of the payment gateways because of the way Zen Cart, osC etc. works in this area. Arrest me if I'm wrong ... but MD5 should be used on all, if available, in order to avoid this behaviour. This is nothing new, we've seen it before on other modules.

Btw! This is also why some payment providers don't allow instant capture as default, because you should check all payments before shipping.

Just my 2 cents.

[philip_clarke]

Morning,

I've tried it with the paypal IPN_Handler. That's very well written, and it won't pay for the items if the amount/ currency id different. It also throws an error if you have debug mode set and one tries the first exploit, which states

Code:

IPN WARNING :: Transaction was not marked as VERIFIED. Keep this report for
potential use in fraud investigations.
IPN Info = 
INVALID

That would be email number 6 in debug mode, on a live site. After the ipn_main_handler.php receives a post, it posts the information back to paypal for more confirmation, so if the transaction never took place, if the currency is wrong, if the amount is different then the PayPal server throws an INVALID response.

I started testing other modules for similar exploits yesterday.

Thanks

[philip_clarke]

I'll add to that comment above.

It's not complex to only mark a shopping cat as paid, if the amount and currency match.

MD5 or not, the first exploit worked, and any shopping cart could be marked as paid.

The second expoilt means that a £100 cart can be marked as paid up for 1 pence. Some people do not read their notification emals correctly, but as I was saying to Alan. A nice way to carry on fraud is to find things you like and then take a 10-20% discount off them, then free shipping. If caught one's defence is "how the friggin hell do I know why they gave me a discount", it's very difficult to prove in a court of law especially since the amount paid and authrosied is directly coming from paypal/ worldpay and they almost certainly have a contract with you stating that it's up to you to have used every available method to provide them with the correct payment amount.

Thanks
Philip.