The following warnings occurred:
Warning [2] Undefined array key "avatartype" - Line: 783 - File: global.php PHP 8.1.31 (Linux)
File Line Function
/global.php 783 errorHandler->error
/showthread.php 26 require_once
Warning [2] Undefined array key "avatartype" - Line: 783 - File: global.php PHP 8.1.31 (Linux)
File Line Function
/global.php 783 errorHandler->error
/showthread.php 26 require_once
Warning [2] Undefined variable $newpmmsg - Line: 40 - File: global.php(841) : eval()'d code PHP 8.1.31 (Linux)
File Line Function
/global.php(841) : eval()'d code 40 errorHandler->error
/global.php 841 eval
/showthread.php 26 require_once
Warning [2] Undefined array key "style" - Line: 909 - File: global.php PHP 8.1.31 (Linux)
File Line Function
/global.php 909 errorHandler->error
/showthread.php 26 require_once
Warning [2] Undefined property: MyLanguage::$lang_select_default - Line: 5024 - File: inc/functions.php PHP 8.1.31 (Linux)
File Line Function
/inc/functions.php 5024 errorHandler->error
/global.php 909 build_theme_select
/showthread.php 26 require_once
Warning [2] Undefined array key "additionalgroups" - Line: 7162 - File: inc/functions.php PHP 8.1.31 (Linux)
File Line Function
/inc/functions.php 7162 errorHandler->error
/inc/functions.php 5044 is_member
/global.php 909 build_theme_select
/showthread.php 26 require_once
Warning [2] Undefined array key 1 - Line: 1415 - File: inc/functions.php PHP 8.1.31 (Linux)
File Line Function
/inc/functions.php 1415 errorHandler->error
/inc/functions.php 1370 fetch_forum_permissions
/showthread.php 137 forum_permissions
Warning [2] Undefined array key 1 - Line: 1415 - File: inc/functions.php PHP 8.1.31 (Linux)
File Line Function
/inc/functions.php 1415 errorHandler->error
/inc/functions.php 1380 fetch_forum_permissions
/inc/functions.php 2909 forum_permissions
/showthread.php 621 build_forum_jump
Warning [2] Undefined array key 1 - Line: 1415 - File: inc/functions.php PHP 8.1.31 (Linux)
File Line Function
/inc/functions.php 1415 errorHandler->error
/inc/functions.php 1380 fetch_forum_permissions
/inc/functions.php 2909 forum_permissions
/showthread.php 621 build_forum_jump
Warning [2] Undefined array key 1 - Line: 1415 - File: inc/functions.php PHP 8.1.31 (Linux)
File Line Function
/inc/functions.php 1415 errorHandler->error
/inc/functions.php 1380 fetch_forum_permissions
/inc/functions.php 2909 forum_permissions
/showthread.php 621 build_forum_jump
Warning [2] Undefined array key 1 - Line: 1415 - File: inc/functions.php PHP 8.1.31 (Linux)
File Line Function
/inc/functions.php 1415 errorHandler->error
/inc/functions.php 1380 fetch_forum_permissions
/inc/functions.php 2909 forum_permissions
/showthread.php 621 build_forum_jump
Warning [2] Undefined array key 1 - Line: 1415 - File: inc/functions.php PHP 8.1.31 (Linux)
File Line Function
/inc/functions.php 1415 errorHandler->error
/inc/functions.php 1380 fetch_forum_permissions
/inc/functions.php 2909 forum_permissions
/showthread.php 621 build_forum_jump
Warning [2] Undefined array key 1 - Line: 1415 - File: inc/functions.php PHP 8.1.31 (Linux)
File Line Function
/inc/functions.php 1415 errorHandler->error
/inc/functions.php 1380 fetch_forum_permissions
/inc/functions.php 2909 forum_permissions
/showthread.php 621 build_forum_jump
Warning [2] Undefined array key "mybb" - Line: 1952 - File: inc/functions.php PHP 8.1.31 (Linux)
File Line Function
/inc/functions.php 1952 errorHandler->error
/inc/functions_indicators.php 41 my_set_array_cookie
/showthread.php 629 mark_thread_read
Warning [2] Undefined property: MyLanguage::$ratings_update_error - Line: 5 - File: showthread.php(732) : eval()'d code PHP 8.1.31 (Linux)
File Line Function
/showthread.php(732) : eval()'d code 5 errorHandler->error
/showthread.php 732 eval
Warning [2] Undefined array key "additionalgroups" - Line: 7162 - File: inc/functions.php PHP 8.1.31 (Linux)
File Line Function
/inc/functions.php 7162 errorHandler->error
/inc/functions_user.php 844 is_member
/inc/functions_post.php 406 purgespammer_show
/showthread.php 1070 build_postbit
Warning [2] Undefined array key "profilefield" - Line: 6 - File: inc/functions_post.php(474) : eval()'d code PHP 8.1.31 (Linux)
File Line Function
/inc/functions_post.php(474) : eval()'d code 6 errorHandler->error
/inc/functions_post.php 474 eval
/showthread.php 1070 build_postbit
Warning [2] Undefined array key "canonlyreplyownthreads" - Line: 660 - File: inc/functions_post.php PHP 8.1.31 (Linux)
File Line Function
/inc/functions_post.php 660 errorHandler->error
/showthread.php 1070 build_postbit
Warning [2] Undefined array key "showimages" - Line: 741 - File: inc/functions_post.php PHP 8.1.31 (Linux)
File Line Function
/inc/functions_post.php 741 errorHandler->error
/showthread.php 1070 build_postbit
Warning [2] Undefined array key "showvideos" - Line: 746 - File: inc/functions_post.php PHP 8.1.31 (Linux)
File Line Function
/inc/functions_post.php 746 errorHandler->error
/showthread.php 1070 build_postbit
Warning [2] Undefined array key "additionalgroups" - Line: 7162 - File: inc/functions.php PHP 8.1.31 (Linux)
File Line Function
/inc/functions.php 7162 errorHandler->error
/inc/functions_user.php 844 is_member
/inc/functions_post.php 406 purgespammer_show
/showthread.php 1070 build_postbit
Warning [2] Undefined array key "profilefield" - Line: 6 - File: inc/functions_post.php(474) : eval()'d code PHP 8.1.31 (Linux)
File Line Function
/inc/functions_post.php(474) : eval()'d code 6 errorHandler->error
/inc/functions_post.php 474 eval
/showthread.php 1070 build_postbit
Warning [2] Undefined array key "canonlyreplyownthreads" - Line: 660 - File: inc/functions_post.php PHP 8.1.31 (Linux)
File Line Function
/inc/functions_post.php 660 errorHandler->error
/showthread.php 1070 build_postbit
Warning [2] Undefined array key "showimages" - Line: 741 - File: inc/functions_post.php PHP 8.1.31 (Linux)
File Line Function
/inc/functions_post.php 741 errorHandler->error
/showthread.php 1070 build_postbit
Warning [2] Undefined array key "showvideos" - Line: 746 - File: inc/functions_post.php PHP 8.1.31 (Linux)
File Line Function
/inc/functions_post.php 746 errorHandler->error
/showthread.php 1070 build_postbit
Warning [2] Undefined array key "additionalgroups" - Line: 7162 - File: inc/functions.php PHP 8.1.31 (Linux)
File Line Function
/inc/functions.php 7162 errorHandler->error
/inc/functions_user.php 844 is_member
/inc/functions_post.php 406 purgespammer_show
/showthread.php 1070 build_postbit
Warning [2] Undefined array key "profilefield" - Line: 6 - File: inc/functions_post.php(474) : eval()'d code PHP 8.1.31 (Linux)
File Line Function
/inc/functions_post.php(474) : eval()'d code 6 errorHandler->error
/inc/functions_post.php 474 eval
/showthread.php 1070 build_postbit
Warning [2] Undefined array key "canonlyreplyownthreads" - Line: 660 - File: inc/functions_post.php PHP 8.1.31 (Linux)
File Line Function
/inc/functions_post.php 660 errorHandler->error
/showthread.php 1070 build_postbit
Warning [2] Undefined array key "showimages" - Line: 741 - File: inc/functions_post.php PHP 8.1.31 (Linux)
File Line Function
/inc/functions_post.php 741 errorHandler->error
/showthread.php 1070 build_postbit
Warning [2] Undefined array key "showvideos" - Line: 746 - File: inc/functions_post.php PHP 8.1.31 (Linux)
File Line Function
/inc/functions_post.php 746 errorHandler->error
/showthread.php 1070 build_postbit
Warning [2] Undefined array key "invisible" - Line: 1506 - File: showthread.php PHP 8.1.31 (Linux)
File Line Function
/showthread.php 1506 errorHandler->error
Warning [2] Undefined variable $threadnotesbox - Line: 30 - File: showthread.php(1533) : eval()'d code PHP 8.1.31 (Linux)
File Line Function
/showthread.php(1533) : eval()'d code 30 errorHandler->error
/showthread.php 1533 eval
Warning [2] Undefined variable $addremovesubscription - Line: 79 - File: showthread.php(1533) : eval()'d code PHP 8.1.31 (Linux)
File Line Function
/showthread.php(1533) : eval()'d code 79 errorHandler->error
/showthread.php 1533 eval



FORUMS


The Form Tools forums are no longer active, but the old posts have been archived here. Please see the Help page on how to get help / report issues.

Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Serious security issue
#1
This may not be a HUGE problem...but what I've noticed is that when using paypal submit, the paypal submit page gets loaded with a bunch of hidden fields right before the submit (these are coming from the includes/global_config.inc.php file). Amongst these fields is the "amount" value...which if I were clever I could easily use Firebug to edit before the form submits to paypal, making the amount 1 cent if I wanted.

The form I'm creating needs to be a certain amount of money, no more, no less. Now, I also have a coupon field that lowers the price...but someone could easily lower the price manually and then claim they entered the coupon code.

This isn't the biggest concern since I can just cross-check with the save data and verify if they did, in fact, enter the coupon code, because I'm saving that field as well. But I'd like it to be nearly impossible for the user to be able to edit those fields...and putting them in as hidden fields seems to be a little lacking in security.
Reply
#2
Hi Jaace,

Yes, this could certainly be hacked by anyone worth his mettle. However, this is kind of a problem with HTML forms in general: you can never truly know WHERE they're coming from.

There are certainly ways to improve it: e.g. creating a CURL POST request on the server and submitting it to PayPal - this way you'll know that the data being sent from your site is exactly as you'd expect. But even that's not failsafe: a hacked could view the requests being sent and emulate it themselves, tweaking the POST values. The bottom line is that NO request sent via http is secure - it can always be mocked.

The PayPal integration zipfile that you're working from was actually just based on a library from PayPal themselves. I tweaked it to simplify a few things, but it hasn't actually been changed that much. No, it's not great: relying on the JS submit, for example, is pretty crumby; generating a bunch of hidden form fields is again, not great. But in essence, this is how most PayPal integrations work.

So all in all, I wouldn't worry too much. A dedicated hacker will always be able to put through a payment with invalid values. You have to be vigilant on the administrative front to check payments to ensure they're valid. Sucks, but there you go.

How's your PayPal integration going, by the way? I wish I had more time! This week I've been reading about your problems you've posted and felt bad I don't have time to respond. But if you're stuck on anything this weekend and need a lending hand, email me at ben.keen@gmail.com and I'll see if I can help out. I'm around most weekends. Smile

- Ben
Reply
#3
Hi Ben! Thanks for the quick response. I figured this was the case and I'm not going to worry about it too much. There is only so much you can depend on machines to do...the rest you need your own eyes to analyze and make sure everything is correct! So, the people I'm setting up with this tool will need to verify that the payments that go through are of the correct amounts, etc etc.

As for my integration, it's going really smoothly! I fixed a few things with the zipfile that I posted on the boards...mostly just a few typo things like $paypal -> $pp in the ipn file and the "initialized" should be "initialize" (you already saw that one). This version is a LOT better than the first Form Tools, way to go!

I've got my multi-page form submitting to paypal with uploads and it's working perfectly. Now I'm just getting client/server side validation on this thing and I'll be set. Thanks for the awesome tool. I'll be sure to post back to the forums with any more fixes or findings! Cheers
Reply


Forum Jump:


Users browsing this thread: 1 Guest(s)