WorldPay Module for ZenCartv1.3x

[rued]

PayPal is not the same type of payment gateway as WorldPay, DIBS etc., just so we know that. ;)

[philip_clarke]

I haven't really investigated worldpay (as in going there and finding out how it works) as yet, the system is good if the module is implemented correctly, I do have to have a look at the documentation at some time to check for a few other things. I think that the next version of the module should be secure, myself and Alan have already gone over it for XSS possibilities and the "next" module itself is currently secure, whether ZC is secure against them further down the chain is another matter.

I'll be looking at how OsCommerce handles things too, but this is unpaid so it'll be when I can squeeze it in.

[AfterHouR]

I have got your e-mails Philip, apologies for not replying sooner but I have been trying to spend more time with the kids this weekend :) I will get my fine tooth comb out for the morning...

I can confirm from a previous post of Philps, that it is possible to use the second exploit for worldpay to return a confirmation e-mail, that payment has been received and if you have lots of orders coming in (I wish!!) it could be quite easy to miss, that all was not well.

Thanks for all the time and effort to resolve this Philip and you too Alan... keep up the good work :)

Forever a Cynic.....
AfterHouR

[philip_clarke]

Thank you Afterhour, I understand that some people have family commitments, I'm just a little too obssessive, although in the current fashionable words of the day, I suppose I could pass it off as being "passionate" about my work.

Alan can handle everything, I am going to shift my focus on some other things that have cropped up during this investigation, like how to set up a system within zencart to store "critical exploit alerts", it'll be a useful use of my time. I'll have to persuade the zencart developers, and the module developers to implement a simple version listing file in their systems and then a comparison and since I'm as subtle as an axe, it may be sometime before the system is implemented, but if you think about it, during this pretty serious alert, there's only been about 5 visitors to the thread, and I'm damned sure that there's a lot more installations around than that.

[duncanad]

SECURITY PATCH AVAILABLE FOR DOWNLOAD

You will find below a link to dowload a Patch to address the Security Exploits discussed above. Thanks to Philip Clarke for identifying these and for his assistance in testing this patch. He has also made some further suggestions which I will try to absorb and incorporate in future releases as appropriate.

THIS PATCH IS FOR THE FOLLOWING VERSION OF THE WORLDPAY MODULE:

WorldPay_ZC1.3x_v1.0_beta

This version was not available from the Downloads but from my website - a link has been posted on the forums at least twice previously. It's beta because I was not able to test this on PHP5. Philip has posted above details of how to configure the host server to allow the module to work on PHP5.

IF YOU ARE USING THE VERSION FROM THE DOWNLOADS SECTION UPGRADE TO THIS VERSION FIRST AND THEN APPLY THE PATCH IMMEDIATELY

When upgrading follow the installation instructions carefully. You will need to remove all the previous version files from your server. Also it will only work on 1.3x versions of Zen Cart so if you are still using an earlier version of Zen Cart upgrade your Zen Cart first.

The two exploits are as follows:

1. The existing module can be fooled into processing an order without a payment having gone through WorldPay. This is fixed by setting a Payment Response Password. The patch adds functionality to process the Payment Response Password.

2. The order value processed by WorldPay can be altered so that the customer pays less than the order value. This is fixed by configuring the existing MD5 functionality which has always been available within the module.

Both of these exploits will only be successful if shop owners are not vigilant in checking orders against WorldPay payments.

The download links are as follows:

WorldPay_ZC1.3x_v1.0_beta

http://www.workingit.co.uk/ZenCart/W..._v1.0_beta.zip

WorldPay_ZC1.3x_v1.0_beta_security_fix

http://www.workingit.co.uk/ZenCart/W...curity_fix.zip

I will submit a new version, including the security patch, to the downloads section asap.

Regards,

Alan

[AfterHouR]

Thanks again for all your hard work Duncan and Philip and for getting onto this straight away..

It is a real shame there hasn't been more of an uptake to this, I expected more of a response on these pages from people than this... Ignorance is bliss, or is it ignorance is no defence???

Anywho...

Can I make a small suggestion to your documentation Duncan

the dashboard in Worldpay has changed slightly and so has some of the wording...

5. Also in the Configuration Options set the following if not done already:

Callback Enabled? - ensure this is ticked.
Use callback response? - ensure this is ticked.
Callback suspended? - ensure this is NOT ticked (it automatically selects if callback fails)
Payment Response Password - enter your password. Make this secure using numbers and letters. You only have to remember it long enough to enter it in your Zen Cart Worldpay module configuration.
MD5 secret for transactions - enter a pass phrase which can be up to 16 characters long and include spaces. You will need to contact WorldPay technical support first for this to be enabled.
Note: You will find more information on how to configure your WorldPay installation here: http://www.worldpay.com/support/kb/m...ect/rhtml.html

should read

5. Also in the Configuration Options in Worldpay installation set the following if not done already:

Payment Response enabled? - ensure this is ticked.
Enable Recurring Payment Response? - ensure this is ticked.
Enable the Shopper Response? - ensure this is ticked
Suspension of Payment Response? - ensure this is NOT ticked (it automatically selects if callback fails)
Payment Response Password - enter your password. (and then again to validate, do not tick use default as it will reset password fields) Make this secure using numbers and letters. You only have to remember it long enough to enter it in your Zen Cart Worldpay module configuration.
MD5 secret for transactions - enter a pass phrase which can be up to 16 characters long and include spaces. (and then again to validate, do not tick use default as it will reset password fields)
Click on update installation (You don't have to contact WorldPay technical support anymore for MD5 as this is now done from Worldpay dashboard)

Note: You will find more information on how to configure your WorldPay installation here: http://www.worldpay.com/support/kb/m...ect/rhtml.html

I hope that helps

Kind Regards
AfterHouR

[AfterHouR]

Err... Spoke too soon

I'm getting an MD5 signature could not be verified error from Worldpay.. There is something in the following that Worldpay doesn't like and yes before anyone asks, I have verified that fat fingers are compatible with the keyboard and the MD5 in Worldpay dashboard and zen worldpay module are the same :) hehehe

function worldpay()
{
global $db, $order;
$this->code = 'worldpay';
$this->title = MODULE_PAYMENT_WORLDPAY_TEXT_TITLE;
$this->description = MODULE_PAYMENT_WORLDPAY_TEXT_DESCRIPTION;
$this->sort_order = MODULE_PAYMENT_WORLDPAY_SORT_ORDER;
$this->enabled = ((MODULE_PAYMENT_WORLDPAY_STATUS == 'True') ? true : false);
if ((INT)MODULE_PAYMENT_WORLDPAY_TEST_MODE !== 0)
{
$this->form_action_url = 'https://select-test.worldpay.com/wcc/purchase';
}
else
{
$this->form_action_url = 'https://select.worldpay.com/wcc/purchase';
}
if ((int)MODULE_PAYMENT_WORLDPAY_ORDER_STATUS_ID > 0)
{
$this->order_status = MODULE_PAYMENT_WORLDPAY_ORDER_STATUS_ID;
}

if (is_object($order)) $this->update_status();

}

Regards
AfterHouR

[AfterHouR]

Sorry ignore the last post, 7 minutes had past before I could alter it.... should read


Err... Spoke too soon

I'm getting an MD5 signature could not be verified error from Worldpay.. There is something in the following that Worldpay doesn't like and yes before anyone asks, I have verified that fat fingers are compatible with the keyboard and the MD5 in Worldpay dashboard and zen worldpay module are the same :) hehehe

if (MODULE_PAYMENT_WORLDPAY_USEMD5 == 'True')
{
$md5_signature_fields = 'amount:lang:email';
$md5_signature = MODULE_PAYMENT_WORLDPAY_MD5KEY . ':'.$OrderAmt.':' . $language_code . ':' . $order->customer['email_address'];
$md5_signature_md5 = md5($md5_signature);

$process_button_string .= zen_draw_hidden_field('signatureFields', $md5_signature_fields ) .
zen_draw_hidden_field('signature',$md5_signature_md5);
}
return $process_button_string ;
}

Sorry, it's 20 years since I have done any real programming, apart from the odd script alterations over the last 12 months and I have had all sorts of learning curves and constant insomnia to cope with :) So some of my basic knowledge has been fried along the way...

So any help from you experts out there will be greatly appreciated...

Regards
AfterHouR

[snow-man]

AfterHour - I am getting this error having followed the re-installation instructions and applying the patch.

Is there anyone else out there that can help? Alan?

[philip_clarke]

Carl, I am around if you want me to have a look.

Philip.