This week we're talking about a specific security flaw within the standard osCommerce checkout logic. The security gap was discovered by a colleague, namely Chemo, while coordinating on a project together. Bobby discovered the hole can be taken advantage of by purpose-built robots to bypass the before_process function within most payment modules. In the before_process call, usually a check is done by cURL to verify and approve transactions via a credit card gateway. This applies specifically to popular merchant account gateways like Authorize.net, LinkPoint, etc..
These "bots" pass invalid credit card numbers to the checkout_process scripting which, in turn, are sent to the before_process function, but the "bots" bypass the result of verification and authorization response from the gateway. In bypassing this functionality, checkout_process.php will run to completion, effectively creating a "valid" order. Only upon reconciliation of the merchant account ledger with osCommerce will a discrepancy be readily apparent.
So what can you do for your store to ensure your osCommerce store is secure from the so-called "bots"? It turns out, there's a relatively simple fix to solve the aforementioned issue. Basically, you'll need to change the logic within your payment module under the before_process function to return a boolean(true/false) value upon its execution. Then, modify checkout_process.php to check for this boolean value. If the before_process scripting has not successfully redirected the user to checkout_payment.php by now (on a false return), they're obviously not obeying the redirect native to the before_process function. Try to redirect them once more from checkout_process.php to checkout_payment.php. If the user makes it past this final redirect, the session should be destroyed and checkout_process.php should be stopped.
Finally, you'll need to modify the tep_redirect function in catalog/includes/functions/general.php to exit() after the header redirect. This ensures that any user making it past the header redirect (a bot) cannot continue any foreign scripting, like the checkout logic.
This demonstrates how we, as developers and store owners, should always consider osCommerce as a work in progress. Of course, if you would like us to make the modifications to secure your store from this threat, please follow the link below, or contact us.
Cordially,
David |
