WorldPay Module version 2.0 - Support thread

[philip_clarke]

I estimate that there are at least 1000 shops using RBSWorldPay as their primary gateway, based on the number of downloads and that some of the downloaders are designers re-using their code.

@bigenuf - the appeal of zen cart is that there are a lot of people who do it themselves, they also have very outdated carts and are sitting ducks with the recent security exploits, there are some DIYer's that PHP/HTML wise, are as skilled as the average web designer, and then theres are developers. Designers' nice chaps, can do things I can't like design things to look pretty, most have a very limited knowledge of PHP structure let alone the more complex Object Orientated things. I get sub contracted quite a bit because of this. The better DIYer may be able to put something together, what concerns me is that a lot of people have had their site designed, so will go back to the "designer" who then might try and do it themselves, spend a lot of time and the client's money etc..

Actually I should have stuck a big sign in admin saying "check the forum first" but the designer's would probably remove it.

Then they'll be the people that try and get a cheap option off some freelance websites, which IMO is really quite dangerous because of the lack of knowledge or reputation I once was asked to look at something while a team from an Eastern European country were working on the same website, the team were explicitly told they couldn't have database access but had just read the config file and appeared to be downloading email addresses presumably to sell off as spam, while someone else was uploading illegal films. This isn't saying that there aren't trustworthy people in the Eastern European countries, but if they are offering a really low price they may be making money elsewhere like by selling lists, so reputations have to be checked very carefully.

I do break into websites including banks and governments, I also use my own name and don't hide anything I've done. I'm more of a strategist than a hacker as I do it to show what could be done, like poison the UK or commit relatively simple frauds, and mostly the results are that the internet is a safer place, unless of course you get WorldPay ignoring everything.

@peltonuk - Out of the open source shops, ZC is the most secure, osCommerce, the parent is now so full of holes with little maintenance that in parts of the site you only have to hit the enter key to commit fraud. The issue is that by usnig a base href tags, template designers didn't need that much PHP code, they didn't need to work out for each image whether the server has in the HTTPS or HTTP side (because if you ######## that up IE gives an insecure item warning) and that led to more flexibility as more lower skilled people could access the project from the start and grow to be better developers. The "problem" with commercial shops is the License agreement, which tends to go, "it's not our fault", so even if this comes up, then they don't have an incentive to fix it and they would charge. Also then there is the issue of contacting the shop owners, a lot of shops are installed by designers, shop owners then up paying middle men.

A cracking example is that there is one zen cart approved host that a) I had to tell them how to configure their server because they don't come from a systems' admin background, b) they are charging £75 to unzip and ftp in my royal mail modules. Every few months someone finds this out and emails me, but because it's open source I can't stop it.

Anyway everything would be better if the base href tag was kept in, they are allowing external style sheets too, there are attack vectors based on that also, in fact I can't work out any logical reason why they are picking on that tag. I think that they probably should have employed someone to RTFM before they decided on these decisions, for one thing they are using the specification that is listed as

Example policy file (far too permissive for production use)

I think that paypal charges about £20 a month for a virtual terminal service as well as the other features that WorldPay operates, the only thing they don't do is have a real terminal like you would swipe your card through in a shop, which I think you can extend the option with RBS, but if HSBC were to do a partnership then (or Google were to buy a physical bank which would be a good tactic since their checkout has never really taken off) ... actually I can't think of a reason why one would want to stay with worldpay even if they were to leave the base tag in, can anyone ?

[philip_clarke]

I just need to make sure i remember what changes i have made etc haha.

Phillip just gotta say i think you are doing a grand job as always!

Ha, what job, I'm just waiting, If they leave the tag in, then this whole discussion's been for nothing but I may just close the module anyway as I can't think of a reason to leave it running. When ZC 2.0 comes along the module would have to be re-written anyway.

If they don't leave the module in, I expect I'll get one or two sites repaired while a lot of people leave worldpay when they find out what has happened, or those people will get ripped off and charged far too much money for a repair to their website.

Want a competition ? I reckon I can fix the pages in 45 minutes on your client's website, that the pages will never throw an error and look identical to how they were before and include all images (my test program identifies the key points in the entire site ), no it's not really fair is it ?

[Ryk]

they are charging £75 to unzip and ftp in my royal mail modules. Every few months someone finds this out and emails me, but because it's open source I can't stop it.

If you're talking about who I think you are, then there is a very clear statement on every product page that the fee is NOT for the module but for the installation and configuration.

[Ooba_Scott]

haha no i think you would beat me to it......

Gotta update the client to the latest version of ZC, and patches and your latest module release as their previous guys havnt been keeping it uptodate

Have got a question, which you could probably answer me straight away....

Why do we need the base href tag anyway?
If you remove the base href tag, then the site will work fine anyway (obviously not in worldpay, as it needs it to be absolute urls), but on a general ZC site you dont need it surely?

[philip_clarke]

Yes I believe there is, although I doubt many people ask what "installation" entails or "configuration". e.g

"We unzip a file and click an "e" for each module then "install"

Except that I don't think they click the "e" part as it's up to the client to choose and configure the charges for the service.

so that's 5 minutes work at £75, £900 per hour. Or 2 minutes work £2,250 per hour.

[philip_clarke]

haha no i think you would beat me to it......

Gotta update the client to the latest version of ZC, and patches and your latest module release as their previous guys havnt been keeping it uptodate

Have got a question, which you could probably answer me straight away....

Why do we need the base href tag anyway?
If you remove the base href tag, then the site will work fine anyway (obviously not in worldpay, as it needs it to be absolute urls), but on a general ZC site you dont need it surely?

It depends "normally" on a ZC site it wouldn't be needed.

Occasionally you have some strange mod_rewrite rules.

Very very occasionally you have a linked in stylesheet that has an image in it, or includes other stylesheets. If one wanted to extend Zencart by using jQuery themes, then it would be very beneficial as the themes are built from one core file that needs to know where everything is, and css files only put in one request per item, whereas php could go "well if it's not there, then try...."

For the majority, you are correct, then you get the person that redirects their site from http://www.example.com/ using mod_rewrite incorrectly to http://www.example.com/store/index.php and the images are looking for http://www.example.com/ (because the URL hasn't got the store bit in it) when they are supposed to be finding them in http://www.example.com/store/ putting the base href at http://www.example.com/store/ stops that

[philip_clarke]

If you're talking about who I think you are, then there is a very clear statement on every product page that the fee is NOT for the module but for the installation and configuration.

Look its' you, and your website

http://www.jsweb.co.uk/big-royal-mail-p-129.html

and this is what you write to make things "clear"

We remind you that the fee we charge is for installation and configuration of the module; where a module is a commercial offering, that fact, along with the cost of the module itself, will be made clear and we will also supply a link to the origin of that module in case you wish to purchase directly from the supplier.

Most of the free modules are available on the Zen Cart website.

Which makes it look like the module isn't free, might be commercial, and that the provided link is so they can buy it from someone else (probably me, except they can't because I don't charge for it). And I know I've never received a contribution or donation from you. At £2000 per hour, christ you're miserly.

[philip_clarke]

Our 14 day money back guarantee (applicable to annual accounts only)

is illegal too, check the trading standards rules for distance selling.

[DrByte]

Second thing, if my posts are edited or deleted again. I will withdraw my copyright on all modules. This is not a joke, it is the only option that an open source developer has and that will revert the WorldPay module back to the stage where it has a great big security hole in it and my royal mail modules will then not exist. The modules will also all need to be re-written if ZC version 2.0 gets released.

Philip.

Philip, while it's obvious that your frustration levels are high because of RBS nonsense, DON'T GO TAKING THAT OUT ON THE MODERATORS HERE!!!!

I've looked into what happened:
One of the moderators was cleaning up the duplicates of the PayPal-related posts that person made in "your" thread. While doing that they also saw your inappropriate choice of words directed at that person, and deleted it. They probably should have slapped you around at the same time for your own unsuitable behaviour. But they decided to be more kind than that.

So, there are 2 options:
a) *you* stop conducting yourself inappropriately to forum users or risk being banned for conduct unbecoming
or
b) allow moderators to do their job in peace

Now, let's just put the attitudes aside and go back to the regular discussion now.

[philip_clarke]

Ban me. Withdraw all modules from the download area that I have authored, revert all modules that I have modified back to their previous state. That's total removal of the parcelforce and royal mail modules and you'll have to contact Alan duncan for the worldpay module to see what edits I did on the co-authorship of this

http://www.zen-cart.com/index.php?ma...oducts_id=1148

since the original module with the exploit appears to have been deleted.

Good Bye.