i-lateral / silverstripe-checkout Goto Github PK
View Code? Open in Web Editor NEWShopping cart and Checkout module for Silverstripe
License: BSD 3-Clause "New" or "Revised" License
Shopping cart and Checkout module for Silverstripe
License: BSD 3-Clause "New" or "Revised" License
Hey there, I was reading through the code in your repository and I was not able to find any verification functionality for double checking that the checkout form was not tampered with before it was sent. I see that you have created an IPN listener to protect against request forgery. But I cannot seem to find any code in your repo that compares the returned POST variables against DB records to ensure that the item information matches.
It is possible that I missed it when I read through your code. But if on the other hand, you do not ever check the returned POST request variables you really need to. Otherwise, a malicious user could edit the hidden fields in the purchase form to change the price of an item before submitting it. And because they are editing the form before it reaches PayPal (and not trying to forge a Paypal request to send directly to your server) they will subvert any basic IPN checks.
Please get back to me as soon as possible. I happen to use this module on a production site and would like to either a) patch it as quickly as possible if there is a security hole or b) stop worrying about it if you already have functionality that protects against this kind of attack.
Thanks in advance,
Mooror
Trying to get property of non-object
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.