Misleading PayPal (Legacy) setting that can lead to security risk

[cristian607]

Hello,

The PayPal (Legacy) method has a configuration setting "Accept only verified buyers?" with description "Here you can choose if you only want to accept payments from buyers with a verified PayPal account (when an account is not verified, PayPal does transfer the funds, but they do not fully guarantee the validity of the sale)."

The understanding that this setting leads to is that this means:

• Customer has verified PayPal account => accept payment
• Customer has unverified PayPal account (or no account at all, using payment by credit card) => accept payment ONLY if above setting = NO

Well, this is not true. The above setting controls the behavior of the notify.php file. This script receives the IPN message from Paypal; it sends it back to PayPal; PayPal responds "INVALID" or "VERIFIED".

I am talking about this line of code (in notify.php, around line 385 for VirtueMart 1.1.7a):

Code Select Expand

      //-------------------------------------------
      // ...read the results of the verification...
      // If VERIFIED = continue to process the TX...
      //-------------------------------------------
        if (eregi ( "VERIFIED", $res) || @PAYPAL_VERIFIED_ONLY == '0' ) {


I think that:
a) if the above setting is set to FALSE, a security risk exists (malicious user can simulate an IPN and your store might think that the transaction was authorized).
b) the label and description are wrong and should be corrected
c) actually I think that this option should be completely removed

Hope this helps.

Best regards,
CS.

[stinga]

I shouldn't because it checks the ip address of the IPN source and only accepts paypal ip address's, so you might be correct but the risk should not be there.

[cristian607]

You are right. Being in debug mode, I overlooked the IP check.

However the setting is useless and it disables (if enabled) the additional layer of security.

Best regards,
CS.