Text only | Text with Images

VirtueMart Forum

VirtueMart 2 + 3 + 4 => General Questions => Topic started by: rshafer on July 31, 2014, 20:24:45 PM

Title: Security warnings when returning to site from paypal. HTTPS:// to HTTPS://
Post by: rshafer on July 31, 2014, 20:24:45 PM
Customers using firefox and safari are getting these errors after paying with paypal and clicking the return to site link.

FIREFOX: Although this page is encrypted, the information you have entered is to be sent over an unencrypted connection and could easily be read by a third party.

SAFARI: This is a non-secure form. The form will be sent in a way that is not secure. Are you sure you want to send it.

All aspects of the checkout, payment, and order processing are working correctly other than the warning.

Joomla 2.5.22, virtuemart 2.0.0 virtuemart-aio 2.0.26

vmpayment - paypal plugin. using paypal standard.

Have Enable SSL for sensitive areas. SSL is installed properly on server.

All site pages clear with Why No Padlock tester. Including the return:
https://www.animalsinourhearts.com/index.php?option=com_virtuemart&view=pluginresponse&task=pluginresponsereceived&on=d27403194&pm=1&Itemid=346&lang=

PayPal - auto return set to off. Even when set to on, paypal plugin seems to override the page
set in paypal auto return. I have not been able to get auto return to work.

It seems possibly  the plugin is not sending PP the the form data in secure format.
therefore, when PP tries to send the form data back, it is not secure.
Or, PP is not securing the data for return.

Would the latest upgrade be a certain fix for this issue? Any known hack for the plugin?
Any suggestions appreciated.
Title: Re: Security warnings when returning to site from paypal. HTTPS:// to HTTPS://
Post by: GJC Web Design on July 31, 2014, 21:34:52 PM
If it is really virtuemart 2.0.0 then it must have grey hairs - it is so out of date that I can't think of what else to say...  ;)

All normal warnings apply - read carefully on here about how to upgrade etc
Title: Re: Security warnings when returning to site from paypal. HTTPS:// to HTTPS://
Post by: rshafer on August 01, 2014, 00:28:40 AM
Well aware this is an old version of virtuemart. Actually the client had a really old system of 1.x for joomla and virtuemart. I went through the major
migration process to get joomla up to daye and virtuemart to 2.0 recently. 2.0.0 is all you can install from 1.x. Then they had to have the site back live.
Going further with the upgrade path is not an option at the moment.

So I figured out a hack to remedy the issue.

Even though the return path appeared to be secure with SSL, the paypal plugin still defaults to just http://

I figured out to try hard coding the secure site url in:

plugins\vmpayment\paypal\helpers\paypalstd.php

I changed:
Code Select
$post_variables['return'] =  JURI::root().'index.php?option=com_virtuemart&view=pluginresponse&task=pluginresponsereceived&on=' . $this->order['details']['BT']->order_number . '&pm=' . $this->order['details']['BT']->virtuemart_paymentmethod_id . '&Itemid=' . JRequest::getInt('Itemid' ). '&lang='.JRequest::getCmd('lang','')  ;
to:
Code Select
$post_variables['return'] =  'https://www.mysite.com/index.php?option=com_virtuemart&view=pluginresponse&task=pluginresponsereceived&on=' . $this->order['details']['BT']->order_number . '&pm=' . $this->order['details']['BT']->virtuemart_paymentmethod_id . '&Itemid=' . JRequest::getInt('Itemid' ). '&lang='.JRequest::getCmd('lang','')  ;

and
Code Select
$post_variables['notify_url'] = JURI::root() .  'index.php?option=com_virtuemart&view=pluginresponse&task=pluginnotification&tmpl=component' . '&lang='.JRequest::getCmd('lang','') ;
to:
Code Select
$post_variables['notify_url'] = 'https://www.mysite.com/index.php?option=com_virtuemart&view=pluginresponse&task=pluginnotification&tmpl=component' . '&lang='.JRequest::getCmd('lang','') ;

It seems JURI::root(). is not polymorphic.  At least that is my limited knowledge take on it. I'm sure someone can explain what is happening better.

This forces paypal to use the secure url.
There are no more security warnings, when coming back to the site from PayPal after making a payment.

It's a hack, but it will keep the client going for a while until they allow me to update.
Title: Re: Security warnings when returning to site from paypal. HTTPS:// to HTTPS://
Post by: Milbo on August 01, 2014, 10:52:48 AM
Quote from: rshafer on August 01, 2014, 00:28:40 AM
Well aware this is an old version of virtuemart. Actually the client had a really old system of 1.x for joomla and virtuemart. I went through the major
migration process to get joomla up to daye and virtuemart to 2.0 recently. 2.0.0 is all you can install from 1.x. Then they had to have the site back live.
Going further with the upgrade path is not an option at the moment.

I am sorry, but this makes no sense for me. You can now directly update to vm2.6.7, why there should be a problem? The only problem which existed with updating where the adjustments to the template, if you used overrides. So why you want to develop a template for an outdated version?
The normal way is to migrate directly to the last version. It is quite important that you do that. Updating of your tables is done by VM itself.
Title: Re: Security warnings when returning to site from paypal. HTTPS:// to HTTPS://
Post by: alatak on August 01, 2014, 12:57:36 PM
Hello

if you want to remove this warning, then check the box the configuration parameter "Enable SSL for sensitive areas (recommended)"
Text only | Text with Images