News:

Looking for documentation? Take a look on our wiki

Main Menu

Misleading PayPal (Legacy) setting that can lead to security risk

Started by cristian607, March 30, 2011, 09:14:40 AM

Previous topic - Next topic

cristian607

Hello,

The PayPal (Legacy) method has a configuration setting "Accept only verified buyers?" with description "Here you can choose if you only want to accept payments from buyers with a verified PayPal account (when an account is not verified, PayPal does transfer the funds, but they do not fully guarantee the validity of the sale)."

The understanding that this setting leads to is that this means:

  • Customer has verified PayPal account => accept payment
  • Customer has unverified PayPal account (or no account at all, using payment by credit card) => accept payment ONLY if above setting = NO

Well, this is not true. The above setting controls the behavior of the notify.php file. This script receives the IPN message from Paypal; it sends it back to PayPal; PayPal responds "INVALID" or "VERIFIED".

I am talking about this line of code (in notify.php, around line 385 for VirtueMart 1.1.7a):
      //-------------------------------------------
      // ...read the results of the verification...
      // If VERIFIED = continue to process the TX...
      //-------------------------------------------
        if (eregi ( "VERIFIED", $res) || @PAYPAL_VERIFIED_ONLY == '0' ) {


I think that:
a) if the above setting is set to FALSE, a security risk exists (malicious user can simulate an IPN and your store might think that the transaction was authorized).
b) the label and description are wrong and should be corrected
c) actually I think that this option should be completely removed

Hope this helps.

Best regards,
CS.

stinga

I shouldn't because it checks the ip address of the IPN source and only accepts paypal ip address's, so you might be correct but the risk should not be there.
Stinga.
614869 products in 747 categories with 15749 products in 1 category.
                                             Document Complete   Fully Loaded
                Load Time First Byte Start Render   Time      Requests      Time      Requests
First View     2.470s     0.635s     1.276s          2.470s       31            2.470s      31
Repeat View  1.064s     0.561s     1.100s          1.064s       4             1.221s       4

cristian607

You are right. Being in debug mode, I overlooked the IP check.

However the setting is useless and it disables (if enabled) the additional layer of security.

Best regards,
CS.