WorldPay Module version 2.0 - Support thread

[philip_clarke]

Read that, some systems don't allow anything to connect to the worldpay module (the callback system) unless the domain ends in worlpay, that's not us. The reason why is that although it increases security I can't guarantee that with the thousand odd web servers that use this module, that they are configured correctly to look up the host hane of incoming connections, plus worldpay has a 30 second time out when it sucks the page in, so there's a real possibility taht it could lead to more errors.

This would be simple to add if it were based on ip addresses because then non nameserver look up would be required, but sparky monkeys over there, never saw fit to channel things through a constant range of addresses instead they add them a random it would have been trivial to bounce all requests through one ip address, but nope they rely on the weak point of the internet, the DNS system.

Philip.

[Ooba_Scott]

Yeah did think you would have read it, but thought it was just worth posting to be on the safe side....

Im kinda playing the waiting game now and seeing if what they come back with....or trying to figure out something myself.

Will have to see what they tell petelutonuk, if he manages to give them a call.....he may get told a different story depending on which techy person you speak to. So his person may come up trumps and offer a solution

[philip_clarke]

Well what I suggest is using the techniques used to find xss exploits. What would seem to be happening over at worldpay is that they suck the page through and knock off the <base href tag from header_php.php so what you could do is some of these combinations in your file and see if you can fool the part of their program that recognises the tag.

First of all you need to be 100% positive you are editing the correct file for your layout. the default is at

includes/templates/template_default/common/html_header.php

so if you put

HTML Code:

<!--hello world-->

in that page then you should see it appear on worldpay's suck through page, otherwise you look for other header files in your template overrride structure

then you would replace the line

HTML Code:

<base href="<?php echo (($request_type == 'SSL') ? HTTPS_SERVER . DIR_WS_HTTPS_CATALOG : HTTP_SERVER . DIR_WS_CATALOG ); ?>" />

HTML Code:

<base \ href=<?php echo (($request_type == 'SSL') ? HTTPS_SERVER . DIR_WS_HTTPS_CATALOG : HTTP_SERVER . DIR_WS_CATALOG ); ?>" />

or

HTML Code:

<base \0 href=<?php echo (($request_type == 'SSL') ? HTTPS_SERVER . DIR_WS_HTTPS_CATALOG : HTTP_SERVER . DIR_WS_CATALOG ); ?>" />

or this should work

HTML Code:

<script language="javascript" type="text/javascript">
document.write('<ba'+'se '+'href="');
</script>
<noscript><base href="</noscript><?php echo (($request_type == 'SSL') ? HTTPS_SERVER . DIR_WS_HTTPS_CATALOG : HTTP_SERVER . DIR_WS_CATALOG ); ?>" />

Philip

[Ooba_Scott]

Thanks for taht Philip......i did have a go yesterday, but my brain was frazzled and i didnt get very far......im feeling more awake today so may give it a go if i geta free minute.

I have already located the file in the template_default and i havnt changed it in my override system so thats easy to find and change.

Bit of a busy day at the office today so may have to leave it till tommorow

Not really expecting a response from worldpay unless i constantly phone them..

But will keep you all posted on my findings and all

[philip_clarke]

It is ironic that if the changes made are to stop potential xss warnings, that I have to suggest using my xss knowledge to circumvent the issue. I doubt the javascript one would trigger an issue since it is similar in stucture to google analytics.

[Ooba_Scott]

Philip, Just spotted acouple of things in the /includes/modules/payment/worldpay.php file that i would like to double check are correct if thats ok

On line 33 it points says 'includes/templates/template_default/templates/tpl_wpcallback_default.php' but that file isnt located in template_default for me, it is in my custom overrides folder.....is that an issue?

Secondly on line 75 the address it points to is https://secure-test.wp3.rbsworldpay.com/wcc/purchase, but the web address i end up on is https://secure-test.wp3.rbsworldpay.com/wcc/card

Could they be causing a problem?

[petelutonuk]

Hello Philip. My brain hurts. I tried various things like hard coding the base href tag in and putting little messages in html_header.php (which did pass through) but Worldpay ARE definitely filtering out the base href tag due to the new security standards. They say that until the 30th September 2009 you can disable the "Enable whitelisting?" setting in your Worldpay Installation Administration page. I did this and BINGO the "Thank you" and "Order Cancelled" pages display properly... the base href tag is there in the source code. I tried looking at the various sites they point you to for information (www.owasp.org and www.pcisecuritystandards.org) but I got a bit bewildered. I have sent an email to [email protected] (because their stupid contact form doesn't work!) I have explained what the problem is and that it will become a big problem unless they can provide a solution. Something needs to be done or we simply can't use Worldpay with Zencart I imagine.

[Ooba_Scott]

petelutonuk, you obviously had a better phonecall with worldpay than i did....my tech support person was not very technical at all.

I had a look at rbs site again and found the page about the cahnges and about switching off whitelisting for the time being.....so that will solve the problem for like a month.

But by the end of september it will be back to not displaying the pages properly, due to XSS (i belive this is what philip was thinking they were doing earlier)

Heres the to the page on worldpay http://www.rbsworldpay.com/support/b...s&sub=xss&c=UK

When the whitelisting (safe attribute thing) gets enforced on 30th sep, its going to cause alot of problems, with us zen cart users, and i would imagine alot of other people aswel!

[petelutonuk]

Hi, I didn't actually speak to anyone at Worldpay but tried what they said in the emails and all my sites worked including the one I have had for 8 years which is simple XHTML with a php search engine... even that will be going to hell in a hand cart at the end of September. I haven't actually found a list of the permitted code we are allowed to use....I am starting to despair! I just hope they reply with some useful information A.S.A.P.

[petelutonuk]

Well I got my first email response from RBSWorldpay at 1AM. They asked me if it was just the images and stylesheet that were missing which I confirmed. I received this reply....

By uploading your images and CSS (I have yet to test this) to our WorldPay server via our "Payment Page Editor" through our Merchant Administration Interface should solves the display problem. To reference them, the code is as follows:<img src="/i/XXXX/filename.extension"> (XXXX refers to your installation id)

Please note that your CSS file extension should be in lower caps (eg styles.css instead of styles.CSS). All filenames uploaded to WorldPay server are case sensitive, so if the filename is Mylogo.jpg, on your XHTML file it should points to Mylogo.jpg instead of mylogo.jpg.

Please do not hesitate to contact us should you require our further assistance or clarification.

This looks like a lot of hassle to me and as you can see he has not even tried it, I am not convinced this will work because of the way Zen cart works and would mean the site is not all under the control of the Zencart admin section. I will try uploading a few things to my worldpay installation this evening after work.