Security warnings when returning to site from paypal. HTTPS:// to HTTPS://

Started by rshafer, July 31, 2014, 20:24:45 PM

Previous topic - Next topic

rshafer

Customers using firefox and safari are getting these errors after paying with paypal and clicking the return to site link.

FIREFOX: Although this page is encrypted, the information you have entered is to be sent over an unencrypted connection and could easily be read by a third party.

SAFARI: This is a non-secure form. The form will be sent in a way that is not secure. Are you sure you want to send it.

All aspects of the checkout, payment, and order processing are working correctly other than the warning.

Joomla 2.5.22, virtuemart 2.0.0 virtuemart-aio 2.0.26

vmpayment - paypal plugin. using paypal standard.

Have Enable SSL for sensitive areas. SSL is installed properly on server.

All site pages clear with Why No Padlock tester. Including the return:
https://www.animalsinourhearts.com/index.php?option=com_virtuemart&view=pluginresponse&task=pluginresponsereceived&on=d27403194&pm=1&Itemid=346&lang=

PayPal - auto return set to off. Even when set to on, paypal plugin seems to override the page
set in paypal auto return. I have not been able to get auto return to work.

It seems possibly  the plugin is not sending PP the the form data in secure format.
therefore, when PP tries to send the form data back, it is not secure.
Or, PP is not securing the data for return.

Would the latest upgrade be a certain fix for this issue? Any known hack for the plugin?
Any suggestions appreciated.

GJC Web Design

If it is really virtuemart 2.0.0 then it must have grey hairs - it is so out of date that I can't think of what else to say...  ;)

All normal warnings apply - read carefully on here about how to upgrade etc
GJC Web Design
VirtueMart and Joomla Developers - php developers https://www.gjcwebdesign.com
VM4 AusPost Shipping Plugin - e-go Shipping Plugin - VM4 Postcode Shipping Plugin - Radius Shipping Plugin - VM4 NZ Post Shipping Plugin - AusPost Estimator
Samport Payment Plugin - EcomMerchant Payment Plugin - ccBill payment Plugin
VM2 Product Lock Extension - VM2 Preconfig Adresses Extension - TaxCloud USA Taxes Plugin - Virtuemart  Product Review Component
https://extensions.joomla.org/profile/profile/details/67210
Contact for any VirtueMart or Joomla development & customisation

rshafer

Well aware this is an old version of virtuemart. Actually the client had a really old system of 1.x for joomla and virtuemart. I went through the major
migration process to get joomla up to daye and virtuemart to 2.0 recently. 2.0.0 is all you can install from 1.x. Then they had to have the site back live.
Going further with the upgrade path is not an option at the moment.

So I figured out a hack to remedy the issue.

Even though the return path appeared to be secure with SSL, the paypal plugin still defaults to just http://

I figured out to try hard coding the secure site url in:

plugins\vmpayment\paypal\helpers\paypalstd.php

I changed:
$post_variables['return'] =  JURI::root().'index.php?option=com_virtuemart&view=pluginresponse&task=pluginresponsereceived&on=' . $this->order['details']['BT']->order_number . '&pm=' . $this->order['details']['BT']->virtuemart_paymentmethod_id . '&Itemid=' . JRequest::getInt('Itemid' ). '&lang='.JRequest::getCmd('lang','')  ;
to:
$post_variables['return'] =  'https://www.mysite.com/index.php?option=com_virtuemart&view=pluginresponse&task=pluginresponsereceived&on=' . $this->order['details']['BT']->order_number . '&pm=' . $this->order['details']['BT']->virtuemart_paymentmethod_id . '&Itemid=' . JRequest::getInt('Itemid' ). '&lang='.JRequest::getCmd('lang','')  ;

and
$post_variables['notify_url'] = JURI::root() .  'index.php?option=com_virtuemart&view=pluginresponse&task=pluginnotification&tmpl=component' . '&lang='.JRequest::getCmd('lang','') ;
to:
$post_variables['notify_url'] = 'https://www.mysite.com/index.php?option=com_virtuemart&view=pluginresponse&task=pluginnotification&tmpl=component' . '&lang='.JRequest::getCmd('lang','') ;

It seems JURI::root(). is not polymorphic.  At least that is my limited knowledge take on it. I'm sure someone can explain what is happening better.

This forces paypal to use the secure url.
There are no more security warnings, when coming back to the site from PayPal after making a payment.

It's a hack, but it will keep the client going for a while until they allow me to update.

Milbo

Quote from: rshafer on August 01, 2014, 00:28:40 AM
Well aware this is an old version of virtuemart. Actually the client had a really old system of 1.x for joomla and virtuemart. I went through the major
migration process to get joomla up to daye and virtuemart to 2.0 recently. 2.0.0 is all you can install from 1.x. Then they had to have the site back live.
Going further with the upgrade path is not an option at the moment.

I am sorry, but this makes no sense for me. You can now directly update to vm2.6.7, why there should be a problem? The only problem which existed with updating where the adjustments to the template, if you used overrides. So why you want to develop a template for an outdated version?
The normal way is to migrate directly to the last version. It is quite important that you do that. Updating of your tables is done by VM itself.
Should I fix your bug, please support the VirtueMart project and become a member
______________________________________
Extensions approved by the core team: http://extensions.virtuemart.net/

alatak

Hello

if you want to remove this warning, then check the box the configuration parameter "Enable SSL for sensitive areas (recommended)"