News:

Support the VirtueMart project and become a member

Main Menu

PayPal Sandbox Invalid IP

Started by rrijnders, May 29, 2008, 22:25:44 PM

Previous topic - Next topic

rrijnders

Hi all,

I'm new to Virtuemart and setting up an ecommerce site for the first time.

While doing some testing with the PayPal Sandbox, I received an email from Virtuemart's notify script warning me that the server posting to notify.php was not a valid PayPal server. Consequently, the orders were not updated to "confirmed" status either.

Looking through the 'notify.php' script, it appears that the only valid Sandbox IP must resolve to 'ipn.sandbox.paypal.com'. The IP address that PayPal's Sandbox is posting from (216.113.191.33) does not resolve to _any_ domain name and, thus, gethostbyaddr() only returns the IP address. This causes the script to fall through to check the IP against the list of "valid" PayPal IP's that it has already compiled and it will, of course, fail.

I don't know where the 216.113.191.33 address comes from, ipn.sandbox.paypal.com return only 216.113.191.10 as a valid address. I don't know of any solution to this problem. Since I am only testing against the sandbox, I disabled the IP check in notify.php for now. I will enable it again when i go live, and hope that the production PayPal IPN will not be posting from IP's without reverse DNS resolving to www.paypal.com or notify.paypal.com. 

I post this in case others are having issues testing against the sandbox and not getting their orders "confirmed" even thought the sandbox account has the "funds" posted to it. If you used the "fake" email address created by the sandbox for the test merchant account, you may never get the email from the notify.php script with this error since it will send it to the "fake" address! 

Also, I see a potential security flaw in the notify.php script as it is currently written. If the IP address of the poster resolves to 'ipn.sandbox.paypal.com' then the script deems it valid and goes on it's merry way, updating the orders to 'confirmed' et al.  This is not secure because the reverse DNS can be spoofed. If someone has access to their ip class dns, they can create a ptr record for their IP that returns 'ipn.sandbox.paypal.com' whether they are really that host or not!  In this manner, they would pass as authentic according to the notify.php script. 

The script should first do a gethostbynamel('ipn.sandbox.paypal.com') and compare the $_SERVER['REMOTE_ADDR'] against that list. That is much harder to fake as the spoofer would have to have access to paypal's dns, rather than just his own.




3rdimension

I am actually working on joomla 1.013 and virtuemart 1.013a for my online download store. I am testing my paypal system in sandbox. I tried all the steps in the forum to get the status changed from pending to confirmed. But nothing worked. I even tried with real dollars in paypal.com to see if it is the sandbox problem, but nothing works.

Then, I thought maybe I will try new version to see if it works there. So I just installed  joomla 1.5.3 and virtuemart 1.1 ,and I get this message in email after confirmation

Error code 506. Possible fraud. Error with REMOTE IP ADDRESS = 216.113.191.33.
                        The remote address of the script posting to this notify script does not match a valid PayPal ip address

            These are the valid IP Addresses: 66.211.168.209,
216.113.188.65,
64.4.241.33,
64.4.241.49,
64.4.241.65,
66.211.168.65,
66.211.168.97,
66.211.168.193,
66.211.170.66,



I mean common this is the latest release of virtuemart and joomla. This thing just doesn't work. It's buggy. The payment is accepted but status doesn't change at all. I don't want to manually change it..
I have been trying to solve this problem for two days and now I think I am about to cry...

rob2701

Maybe this is related? http://forum.virtuemart.net/index.php?topic=42981.0
I have it in a live environment, but the "possible fraud" thing is the same.

I have put this problem to PayPal's merchant support services, and here is their answer:

1. If your code is doing the post back to PayPal to for IPN validation, there is no reason to check the IP address to confirm it is one of ours.
2. IPN does not use IP checking. We just post to a URL. You will want to look at your code to see how it is getting the IP address as it appears the code is grabbing the wrong IP.

So, is the notify.php script inside VirtueMart checking for IP address which according to PayPal is superfluous?
Can anyone with enough scripting knowledge help out here to adapt it?

3rdimension

I got it working and the problem is with the notify.php. Previously I replace the notify.php in virtumeart 1.0.13a with the one in viruemart 1.1., because  I thought it was the latest. But that did not work. The solution for me was to replace the notify.php from virtuemart 1.0.15.

If you have older version of virtuemart then use the notify.php from virtuemart 1.0.15. It works provided that you done all the other steps