Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Severe Security Issue #5

Open
innomedia opened this issue Oct 24, 2014 · 1 comment
Open

Severe Security Issue #5

innomedia opened this issue Oct 24, 2014 · 1 comment

Comments

@innomedia
Copy link

When a payment is cancelled or paid via echeck paypal returns the user to the cancelURL which is in fact the same as the returnURL. This cancelled payments are handeled as payments without credentials (PayPalGateqay.php Line 148). This leads to a payment Failure which means that the Payment is marked as failed. So far so good.
But think of a payment which was successfull - thus marked als dispatched and paid. When a user calls the Complete function again with the same payment id, the payment is marked as failure because of missing credentials. In that case swipestripe/payment marks the previously successfull payment as unpaid and the order as processing. There is even a message sent to the customer telling, that the already paid payment is unpaid.
Actually we had this issue when a user has called the payment URL twice, because QuickView on Safari (preview of most viewed sites) tries to reload that page again.
Unfortunately this even happens when a payment id is given and there is no payer id and no token. This means you can set all payments in the shop by firing queries brute force to a range of ids.
Probably it would be better to set the cancelURL to a separate URL/Controller function and handle it separately.

@frankmullenger
Copy link
Owner

@innomedia thanks for raising this issue. It has been a while since I last looked at this module, do you have a patch for this issue a pull request would be very welcome!

Thanks!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants