Jump to content

Payment gateway vulnerabilty using POST

echoCarlos

By echoCarlos
in PHP Coding Help

 Share

Recommended Posts

echoCarlos Member

echoCarlos

Posted
Posted

hey guys.

 

I am using Liberty reserve to sell my digital items online, when the user buys the item LR posts back item_id so I can grab the id out of the database to display to the buyer and lr_amnt to check the amount against the one inside the database before displaying the result to the user.

 

TOP:
<?php

include 'includes/config.inc.php';

if(isset($_POST['item_id']) && isset($_POST['lr_amnt']))
{
    $itemID = $_POST['item_id'];
    $lrAmt = $_POST['lr_amnt'];
    
   $result = mysql_query("SELECT * FROM items WHERE item_id='$itemID'");

   while($row = mysql_fetch_array($result))
   {
      $login = $row['item_login'];
      $pass = $row['item_pass'];
      $itemName = $row['item_account'];
      $itemDel = $row['item_del'];
      $price = $row['item_price'];
   }
   
}


?>

--------------------------------

Header:
<?php if($lrAmt != $price) : ?>
        <h2>Fatal error in transaction: the price does not match that in the database</h2>
        <?php else: ?>
        <h2>Thank you for you're purchase of <?php echo $itemName; ?>. Please keep these details safe as they have been deleted from our database.</h2>
        <?php
            echo '<br />';
            echo 'Your new Username: ' . $login;
            echo '<br />';
            echo 'Your password: ' . $pass;
            ?>
        <?php endif; ?>

 

but if the user views the source code and grabs the ID they could easily get it for free by making a simple html script that takes in item_id and lr_amnt and put in the values and post it to the success page.

 

example:

<fieldset>
            <!-- <legend>Forgot password</legend> --> 
            <form method="post" action="http://angrypossum.org/carl/mySaleTwo/success.php">
                <p>
                    <label for="itemid">Item ID:  </label>
                    <input type="text" name="item_id" id="itemid" class="input" />
                </p>
                
                <p>
                    <label for="itemprice">Item price:  </label>
                    <input type="text" name="lr_amnt" id="itemprice" class="input" />
                </p>
                
                <p>
                    <input type="submit" name="login" value="Steal" class="button" />
                </p>
            
                
                
            </form>
        </fieldset>

 

how could I stop that?

 

thanks

Link to comment
Share on other sites
WhiteRau Newbie

WhiteRau

Posted
Posted

i'd qualify your submission with a hidden hash check.  set a $_SESSION['checkValid'] variable earliy in your process that you pass along.  then check that it is passed along when success.php gets called and then pass that same variable through some convolution, like an SHA1-256 or whatever and see if the convoluted variable result matches the stored expected result.  then, even if they do post view source and have the item_id, without the correct $_SESSION['checkValid'] value...no processing takes place.  even if they fake it, so it passes an 'isset' check, it will fail the convolution check.  because your convolution is server-side, they won't see it, can't access it and so...fail!  and your convolve formula could be something simple like an SHA1-256 then reversed.

 

anyway.  that's a 'quick-n-dirty' solution that ought to work.  if you want, check the sticky What's The Point of MD5?

 

WR!

Link to comment
Share on other sites
xyph Advanced Member

xyph

Posted
Posted

Liberty Reserve should post back a transaction ID, which you can then (hopefully) verify by some form of API they provide.

 

Why not check out their sample store, and see how they suggest doing it

http://www.libertyreserve.com/en/home/downloads

 

 

$_SERVER['HTTP_REFERER']; is defined client-side, and can't be trusted.

Link to comment
Share on other sites
PFMaBiSmAd Advanced Member

PFMaBiSmAd

Posted
Posted

It's the payment gateway that posts the confirmation data back to the site. A matching user session won't exist in this case.

 

@echoCarlos, your payment gateway should post a transaction id to your site along with the data for that transaction and you SHOULD then be able to post that data back to the payment gateway to confirm that the data came from the gateway (and that you received it error free) OR your gateway should have a unique value that only you and the payment gateway knows that gets securely sent (via https/ssl only) to you with the confirmation information.

 

If your payment gateway doesn't provide you with a way of confirming that the data that was posted to your site actually came from the gateway, you should probably find a different payment gateway.

Link to comment
Share on other sites
This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.