Home » Forums » Ubercart » Bug Reports
8 replies [Last post]
Mon, 02/23/2009 - 18:28
yoeff
yoeff's picture
Offline
Joined: 07/02/2008
Juice: 40
Was this information Helpful?

This is a good javascript hack that you can use on PayPal and Ubercart.

When on the review page you can use javascript in the URL bar to change hidden values in the page to change the price and shipping costs that are sent to PayPal.

Example:

javascript:alert(document.getElementsByName('amount_1')[0].value = 1)

This will change the price of the product to 1 dollar.

javascript:alert(document.getElementsByName('handling_cart')[0].value = 0)

This will remove shipping costs.

I've been trying to come up with ideas to fix this but the only ones that I can thing of are curl or an HTML post where Ubercart can control the form values.

Top
Tue, 02/24/2009 - 01:11
#1 View page
Ryan
Ryan's picture
Offline
Joined: 08/07/2007
Juice: 15438
Re: Paypal Hack

Are you talking about for PayPal Website Payments Standard? You can actually modify the values in that form using Drupal's hook_form_alter() before they're ever even displayed on the page.

Top
Tue, 02/24/2009 - 02:12
#2 View page
yoeff
yoeff's picture
Offline
Joined: 07/02/2008
Juice: 40
Ryan wrote:Are you talking
Ryan wrote:

Are you talking about for PayPal Website Payments Standard? You can actually modify the values in that form using Drupal's hook_form_alter() before they're ever even displayed on the page.

I had someone hack a site that I administer using these methods to cancel out their shipping costs.

Top
Tue, 02/24/2009 - 03:11
#3 View page
Ryan
Ryan's picture
Offline
Joined: 08/07/2007
Juice: 15438
Re: Ryan wrote:Are you talking

Oof. Hmm... I'm not sure there's really much you can do about this. That's part of the reason Ubercart won't automatically update orders to payment received when an IPN comes in... at least it shouldn't if it is now. It should be checked the order balance once an IPN comes through to make sure the full price was paid.

Top
Tue, 02/24/2009 - 04:16
#4 View page
torgosPizza
torgosPizza's picture
Offline
Bug FinderEarly adopter... addicted to alphas.Getting busy with the Ubercode.
Joined: 08/14/2007
Juice: 4110
Re: Re: Ryan wrote:Are you talking

I don't think this actually happened. Those values that are being "hacked" are, AFAIK, not what gets processed at checkout. They are basically "read-only" results from the line_item functions being called by the form.

I even did this:

javascript:alert(document.getElementsById('edit-panes-payment-current-total').value = 1)

It alerted me with "1" and then I noticed that the value in the form became 1 as well, for that hidden input field. However, when I went to checkout, the correct total ($21 and change) was still what got sent to PayPal.

If you think your system was actually hacked, if you can provide a way to replicate it (and it's actually a hack), then we can start thinking of a security fix. Right now though I'd call this busted.

--
Help directly fund development: Donate via PayPal!

Top
Tue, 02/24/2009 - 10:15
#5 View page
Ryan
Ryan's picture
Offline
Joined: 08/07/2007
Juice: 15438
Re: Re: Re: Ryan wrote:Are you talking

I think the things he's showing got changed are in the actual PayPal WPS form that users submit to head to PayPal.

Top
Tue, 02/24/2009 - 12:19
#6 View page
torgosPizza
torgosPizza's picture
Offline
Bug FinderEarly adopter... addicted to alphas.Getting busy with the Ubercode.
Joined: 08/14/2007
Juice: 4110
Re: Re: Re: Re: Ryan wrote:Are you talking

Well, I even tried it there (at the "Submit order" screen) and no luck. What he's pasted there doesn't work, at least, not for me.

If this is a hack, one suggestion might be to not have the form at Submit order, but perhaps make an intermediary page that the user never sees and is, instead, a post via cURL or something? That way the user just submits the screen and the shop backend does the rest, submitting a form that can't be altered (if this one actually can).

If you find a way to reproduce this exactly let me know and I can test it.

--
Help directly fund development: Donate via PayPal!

Top
Tue, 02/24/2009 - 14:09
#7 View page
yoeff
yoeff's picture
Offline
Joined: 07/02/2008
Juice: 40
Re: Paypal Hack

It was done on the order review page. Here is some same PayPal code that you can test with.

<form target="_self" action="https://www.paypal.com/cgi-bin/webscr" method="post">
<input type="hidden" name="cmd" value="_cart">
<input type="hidden" name="add" value="1">
<input type="hidden" name="business" value="youremail@youremail.com">
<input type="hidden" name="item_name" value="my_product">
<input type="hidden" name="item_number" value="12345">
<input type="hidden" name="amount" value="10.00">
<input type="hidden" name="currency_code" value="GBP">
<input type="hidden" name="shipping" value="0.55">
<input type="hidden" name="shipping2" value="0.55">
<input type="hidden" name="handling_cart" value="100000.25">
<input type="hidden" name="receiver_email" value="youremail@youremail.com">
<input type="hidden" name="mrb" value="R-3WH47588B4505740X">
<input type="hidden" name="pal" value="ANNSXSLJLYR2A">
<input type="hidden" name="no_shipping" value="1">
<input type="hidden" name="no_note" value="1">
<input type="hidden" name="bn" value="PP-ShopCartBF">
<input type="hidden" name="shopping_url" value="http://www.mysite.com/order_page.html">

Select Quantity:&nbsp;&nbsp;
<select name="quantity">
<option value="1" selected>1</option>
<option value="2">2</option>
<option value="3">3</option>
<option value="4">4</option>
<option value="5">5</option>
</select>

<br><br>
<input type="image" name="submit" src="https://www.paypal.com//en_US/i/btn/x-click-but22.gif" border="0" alt="Make payments with PayPal, it's fast, free, and secure!">
</form>

As you can see that handling_cart is 100000.25. The person then runs the javascript to change the value of the hidden field and when submitted to PayPal the handling charge is gone.

Top
Tue, 02/24/2009 - 16:17
#8 View page
TR
TR's picture
Offline
Bug FinderFAQ ModeratorGetting busy with the Ubercode.
Joined: 11/05/2007
Juice: 3424
Re: Re: Paypal Hack

I find it extremely irresponsible of you to post a "potential" security weakness on a public board. You seem to personally believe someone could use this technique to steal from people with Ubercart stores, so you go off and tell everybody about it? Incredible.

In the future, if you think there's a security problem, the RESPONSIBLE way to deal with it is to report it privately to the people who maintain the software, exchange messages with them to determine if it really is a problem, then allow them to publish a patch to fix any real problem that may exist. Please read the Drupal guidelines for this process: http://drupal.org/security-team

For the record though, what you're pointing out is just a "feature" of the PayPal WPS architecture. Of course a user can construct a phony form, but as stated above, that's why PayPal has IPN - PayPal IPN sends a secure message back to your server with the payment details, and it's up to your server to verify the details. Even if you *could* alter what gets sent to PayPal, it doesn't change the fact that Ubercart will see that as only a partial payment, so the order will never be processed.

<tr>.
Top