The following warnings occurred: | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Warning [2] Undefined array key "avatartype" - Line: 783 - File: global.php PHP 8.1.31 (Linux)
|
Serious security issue - Printable Version +- Form Tools (https://forums.formtools.org) +-- Forum: Form Tools (https://forums.formtools.org/forumdisplay.php?fid=1) +--- Forum: General Discussion (https://forums.formtools.org/forumdisplay.php?fid=5) +--- Thread: Serious security issue (/showthread.php?tid=304) |
Serious security issue - Jaace - Sep 26th, 2009 This may not be a HUGE problem...but what I've noticed is that when using paypal submit, the paypal submit page gets loaded with a bunch of hidden fields right before the submit (these are coming from the includes/global_config.inc.php file). Amongst these fields is the "amount" value...which if I were clever I could easily use Firebug to edit before the form submits to paypal, making the amount 1 cent if I wanted. The form I'm creating needs to be a certain amount of money, no more, no less. Now, I also have a coupon field that lowers the price...but someone could easily lower the price manually and then claim they entered the coupon code. This isn't the biggest concern since I can just cross-check with the save data and verify if they did, in fact, enter the coupon code, because I'm saving that field as well. But I'd like it to be nearly impossible for the user to be able to edit those fields...and putting them in as hidden fields seems to be a little lacking in security. RE: Serious security issue - Ben - Sep 26th, 2009 Hi Jaace, Yes, this could certainly be hacked by anyone worth his mettle. However, this is kind of a problem with HTML forms in general: you can never truly know WHERE they're coming from. There are certainly ways to improve it: e.g. creating a CURL POST request on the server and submitting it to PayPal - this way you'll know that the data being sent from your site is exactly as you'd expect. But even that's not failsafe: a hacked could view the requests being sent and emulate it themselves, tweaking the POST values. The bottom line is that NO request sent via http is secure - it can always be mocked. The PayPal integration zipfile that you're working from was actually just based on a library from PayPal themselves. I tweaked it to simplify a few things, but it hasn't actually been changed that much. No, it's not great: relying on the JS submit, for example, is pretty crumby; generating a bunch of hidden form fields is again, not great. But in essence, this is how most PayPal integrations work. So all in all, I wouldn't worry too much. A dedicated hacker will always be able to put through a payment with invalid values. You have to be vigilant on the administrative front to check payments to ensure they're valid. Sucks, but there you go. How's your PayPal integration going, by the way? I wish I had more time! This week I've been reading about your problems you've posted and felt bad I don't have time to respond. But if you're stuck on anything this weekend and need a lending hand, email me at ben.keen@gmail.com and I'll see if I can help out. I'm around most weekends. - Ben RE: Serious security issue - Jaace - Sep 26th, 2009 Hi Ben! Thanks for the quick response. I figured this was the case and I'm not going to worry about it too much. There is only so much you can depend on machines to do...the rest you need your own eyes to analyze and make sure everything is correct! So, the people I'm setting up with this tool will need to verify that the payments that go through are of the correct amounts, etc etc. As for my integration, it's going really smoothly! I fixed a few things with the zipfile that I posted on the boards...mostly just a few typo things like $paypal -> $pp in the ipn file and the "initialized" should be "initialize" (you already saw that one). This version is a LOT better than the first Form Tools, way to go! I've got my multi-page form submitting to paypal with uploads and it's working perfectly. Now I'm just getting client/server side validation on this thing and I'll be set. Thanks for the awesome tool. I'll be sure to post back to the forums with any more fixes or findings! Cheers |