Extra IPs for IPN check

[user_fra]

Hi, (VM3.8.8 J 39.9.25)
please, in the Extra IPs for IPN check flield how should I separete the PayPal ips?
Like this
173.0.81.65 173.0.81.140 64.4.248.0/22
or
173.0.81.65, 173.0.81.140, 64.4.248.0/22
or
173.0.81.65; 173.0.81.140; 64.4.248.0/22
or...
Thank you
Francesco

[user_fra]

Hi, please, can anybody answer?
Today I had a problem with a payment also if I have in Extra IPs for IPN check field this list:
66.211.170.66,173.0.81.1,173.0.81.0/24,173.0.81.33,173.0.81.65,173.0.81.140,64.4.240.0/21,64.4.248.0/22,66.211.168.0/22,173.0.80.0/20,91.243.72.0/23
in paypal.4.log.php I see this error:

---

2021-05-01 09:30:04 DEBUG PaymentNotification, order_number:: Order nr. XYZ
2021-05-01 09:30:04 DEBUG PaymentNotification, virtuemart_paymentmethod_id:: 4
2021-05-01 09:30:04 DEBUG checkPaypalIps $paypal_iplist: Array
(
   

• => 173.0.88.40
      [1] => 173.0.84.40
      [2] => 66.211.169.17
      [3] => 173.0.88.8
      [4] => 173.0.81.65
      [5] => 173.0.81.33
      [6] => 173.0.81.1
      [7] => 66.211.170.66
      [8] => 173.0.81.1
      [9] => 173.0.81.0/24
      [10] => 173.0.81.33
      [11] => 173.0.81.65
      [12] => 173.0.81.140
      [13] => 64.4.240.0/21
      [14] => 64.4.248.0/22
      [15] => 66.211.168.0/22
      [16] => 173.0.80.0/20
      [17] => 91.243.72.0/23
  )
  
  2021-05-01 09:30:04 DEBUG checkPaypalIps REMOTE ADDRESS: 173.0.81.65
  2021-05-01 09:30:04 ERROR validateIpnContent: Convalida IPN non corretta: NO ANSWER FROM PAYPAL
  2021-05-01 09:30:04 DEBUG validateIpnContent: valid_ipn:
  ---
  
  But I have 173.0.81.65 in  Extra IPs for IPN check VM PayPal methond field.
  Is it wrong to write ips separated by comma as I did?
  Thank you
  Best regards
  Francesco

[Jörgen]

I guess that the ip range 173.0.81.0/24 expands to 173.0.81.0 - 173.0.81.255. Dividing the input with commas should be correct. I would appreciate other opinions on this, but this are my 2 cents.

Jörgen @ Kreativ Fotografi

[user_fra]

Thank you Jörgen, you are very kind.
I add some more details, maybe it helps.
1) The customer paid by credit card.
2) Order was in the pending status.
3) After paying she was redircted to a site page that said "Your order status is pending".
4) In her credit card account detail, it said pending debit.
5) I received an e-mail form my site with this subject: "Error with paypal payment in your shop"
6) The money had already been credited to my paypal account.

Luckily I was on my computer when all this happened, so I quickly fixed the problem changing the order status from pending to confirmed.
My best regards
Francesco

[dmb]

I got a couple of these today as well for the first time.

I wonder if the "Update: Important information about Instant Payments Notification (IPN) (PP-LIVE-31029)" on https://www.paypal-status.com/bulletin/production is relevant:

Code Select Expand

Update:
This change will now take effect on May 3, 2021. The date in the previous posts has been likewise updated to reflect May 3, 2021.

Mar 11, 16:37 UTC

Update:
This change will now take effect on May 3, 2021.

As a point of clarification, merchants will be receiving IPNs from all the below IP addresses. However, on May 3 2021, the old IP addresses (marked below) will be deprecated and IPNs will only be sent with the new IP addresses (also marked below).

66.211.170.66 (Old)
66.211.170.66 (Old)
173.0.81.1 (Old)
173.0.81.0/24 (Old)
173.0.81.33 (Old)
173.0.81.65 (New)
173.0.81.140 (New)
64.4.240.0/21 (New)
64.4.248.0/22 (New)
66.211.168.0/22 (New)
173.0.80.0/20 (New)
91.243.72.0/23 (New)

[GJC Web Design]

Totally relevant .. either add these new ips or switch off 
Check IPN provider IP

I assume these will be added in the next release

[dmb]

Thanks for the confirmation ... it did look like a huge red flag

I have lists of Paypal servers in:

plugins/vmpayment/paypal/paypal/helpers/paypal.php
templates/<template name>/html/com_virtuemart/vmpayment/paypal/helpers/paypal.php

I plan to update both, but it would be interesting to know what the template file is, if anyone knows ?

Also, there appear to be a large number of possible IPN servers (just under 9000 !), if my calculations are correct:

Code Select Expand

<?php

// generates 8959 addresses ...

$arr = ipnIPs(array( "66.211.170.66", "173.0.81.1", "173.0.81.33", "173.0.81.65", "173.0.81.140",
"173.0.81.0/24", "64.4.240.0/21", "64.4.248.0/22", "66.211.168.0/22", "173.0.80.0/20", "91.243.72.0/23"));

var_dump($arr);

function ipnIPs($cidrs) {

$range = array();

foreach ($cidrs as $cidr){

if (strpos($cidr, '/') === false)
$range[] = $cidr;
else {
$cidr_arr = explode('/', $cidr);

$start_ip = ip2long($cidr_arr[0]);
$end_ip = $start_ip + pow(2, (32 - (int) $cidr_arr[1])) - 1;

// generates the .0 and .255 addresses, but we don't care :)

for ($i = $start_ip ; $i < $end_ip ; $i++)
$range[] = long2ip($i);
}
}

return $range;
}
?>

I noticed that I can't set "Check IPN Provider IP" to anything other than "Yes" anyway (it resets when I save), so I guess I just check all possible addresses ...

David

[GJC Web Design]

I actually hadn't noticed Paypal gives ranges now

e.g.  64.4.240.0/21 (New)

safes fine for me in various installs

[dmb]

Thanks for the heads-up GJC, I need to upgrade my VM but the last time I tried the upgrade failed so I need to set a week or so aside to figure out the problem and get all the testing etc. done ... never enough time.

I should do this anyway, as having updated the IP addresses I no longer get the IPN failure, in fact I get no notifications at all from PayPal, and no errors in the web server logs, the Joomla logs or the VM logs, so this is a significant problem right now. Rolling back the IPN code checks makes no difference either, as I guess the "error contacting IPN servers" is somewhat random based on the IPs that are actually alive at Paypal. I've successfully updated my test site to J3.9.26/VM 3.8.9, and I see none of the new IP Addresses in the paypal.php, which is a bit worrying.

However the "IPN Provider IP" works on the test site so I may do something about this on my live site too (in the database) if it temporarily fixes my problem.

What's the actual effect of disabling the "IPN Provider IP" ? Do I lose any callback data like Paypal fees/status, or is it "only" a security feature to stop payments being spoofed as confirmed ?

David

EDIT: After a long night, I've finished testing the test system, upgraded the live site to J3.9.26/VM 3.8.9 too and everything is working very well with "Check IPN provider IP" enabled. I haven't examined the code where the IPN IP addresses are actually checked so I don't know if that's been fixed or if I'm just lucky so far.

[Bogisich]

The situation around EKS and IP addresses seems kind of insane to me. Apparently the amount of ENIs / IP addresses / Secondary IP addresses attached to a node depends on the instance size. This results in an instance of the size m5.xlarge to have 2 ENIs with 15 IP addresses each, expecting 28 pods to be running on each node to actually make use of all the IP addresses.


TargetPayandBenefits

[user_fra]

What's the actual effect of disabling the "IPN Provider IP" ? Do I lose any callback data like Paypal fees/status, or is it "only" a security feature to stop payments being spoofed as confirmed ?

Very interesting question!
Francesco

[AH]

Security feature only - I have it disabled for years

[dmb]

If anyone wants to have IPN enabled and the correct Paypal servers you could do as I did and change plugins/vmpayment/paypal/paypal/helpers/paypal.php as below.

This works in J3.10.2/VM3.8.9.

I'd really like to override this core file but I don't know where to put my override (I tried in ./templates/<mytemplate>/html/com_virtuemart/vmpayment/paypal/helpers/paypal.php but that didn't work so it's not right )

updated checkPaypalIps():

Code Select Expand

protected function checkPaypalIps ($paypal_data) {
        /*
                $test_ipn = (array_key_exists('test_ipn', $paypal_data)) ? $paypal_data['test_ipn'] : 0;
                if ($test_ipn == 1) {
                    return true;
                }
        */
        /*
         * adding an extra parameter because getting IP trough gethostbynamel is not a unfortunatly reliable method
         */
        if (isset($this->_method->check_ips) and $this->_method->check_ips==0) {
            return true;
        }
        $order_number = $paypal_data['invoice'];

        // Get the list of IP addresses for www.paypal.com and notify.paypal.com

        if ($this->_method->sandbox) {
            $paypalHosts = array('ipn.sandbox.paypal.com','ipnpb.sandbox.paypal.com');
        } else {
            $paypalHosts = array('ipnpb.paypal.com','notify.paypal.com');
        } 

        $paypal_iplist = array();
        foreach($paypalHosts as $host){
            $ipList = gethostbynamel($host);
            $paypal_iplist = array_merge($paypal_iplist,$ipList);
        } 
        if (isset($this->_method->extra_ips)){
            $extraIps = explode(',',$this->_method->extra_ips);
            $paypal_iplist = array_merge($paypal_iplist,$extraIps);
        }

        // add the official Paypal IP addresses

        $paypal_iplist = array_merge($paypal_iplist, $this->generateIPNList()); // DMB 20210501
//      $this->debugLog($paypal_iplist, 'checkPaypalIps $paypal_iplist', 'debug', false);

        $remoteIPAddress = ShopFunctions::getClientIP();
        $hostname = gethostbyaddr($remoteIPAddress);
        $this->debugLog($remoteIPAddress, 'checkPaypalIps REMOTE ADDRESS', 'debug', false);

        //  test if the remote IP connected here is a valid IP address
        if (!in_array($remoteIPAddress, $paypal_iplist) and !in_array($hostname, $paypalHosts)) {

            $text = "(plugins/vmpayment/paypal/paypal/helpers/paypal.php) Error with REMOTE IP ADDRESS = " . $remoteIPAddress . ".\n
                        The remote address of the script posting to this notify script does not match a valid PayPal IP address\n
            These are the valid IP Addresses: " . implode(",", $paypal_iplist) . "The Order ID received was: " . $order_number;
            $this->debugLog($text, 'checkPaypalIps', 'error', false);
            return false;
        }

        return true;
    }

New generateIPNList() function - note the list of Paypal address ranges from their most recent advisory notice:

Code Select Expand

/* 
     * DMB 20210501
     *
     * generate an array of Paypal IPN servers
     *
     * From https://www.paypal-status.com/bulletin/production:
     *
     * As previously communicated, PayPal expanded its IPN infrastructure on May 3. All of the IP addresses listed below will be used for IPN:
     *
     * 66.211.170.66
     * 173.0.81.1
     * 173.0.81.0/24
     * 173.0.81.33
     * 173.0.81.65
     * 173.0.81.140
     * 64.4.240.0/21
     * 64.4.248.0/22
     * 66.211.168.0/22
     * 173.0.80.0/20
     * 91.243.72.0/23
     */

    function generateIPNList() {

        $cidrs = array( "66.211.170.66", "173.0.81.1", "173.0.81.33", "173.0.81.65", "173.0.81.140",
            "173.0.81.0/24", "64.4.240.0/21", "64.4.248.0/22", "66.211.168.0/22", "173.0.80.0/20", "91.243.72.0/23");

        $range = array();

        foreach ($cidrs as $cidr){

            if (strpos($cidr, '/') === false)
                $range[] = $cidr;
            else {
                $cidr_arr = explode('/', $cidr);

                $start_ip = ip2long($cidr_arr[0]);
                $end_ip = $start_ip + pow(2, (32 - (int) $cidr_arr[1])) - 1;

                // generates the .0 and .255 addresses, but we don't care :)

                for ($i = $start_ip ; $i < $end_ip ; $i++)
                    $range[] = long2ip($i);
            }
        }

        return $range;
    }

Apologies to the original authors, I based this function on code I found elsewhere and didn't keep a note of the source.

[AH]

VM did have a fixed IP address function in previous versions of the PayPal Plugins, it was removed as it is not what PayPal suggest in validating IP's

However, it was apparent that a separate additional configuration option might be needed and it was introduced as a new config option in the PayPal payment method settings.

"extra IPs for IPN check "

Have you ever tried using this provided configuration - instead of adding a hard coded set of IP's?

[Phoenix616]

However, it was apparent that a separate additional configuration option might be needed and it was introduced as a new config option in the PayPal payment method settings.

"extra IPs for IPN check "

Have you ever tried using this provided configuration - instead of adding a hard coded set of IP's?

Unfortunately it seems like they use whole subnets for IPNs now which is not supported by that config field as it only does an in_array check with the IP and does not support subnets.