[Buy Premium] - Feature not secure

cajkan

cajkan

Active Member
Hello all,

Looks like Buy Premium feature isnt secure enough.
Today one user purchased premium membership - 52 weeks for only 0.01$

Heres screenshot from E-mail and Paypal:



Into screenshot clearly says : 52 weeks - price per week 2.5$.
I dont want to ban / remove user - that will not be the perfect solution coz he can do that again.

I really wanna know, how is this posible and what should be done to aviod this kind of scams.


Thank you
 
donald22

donald22

Member
First you need to find out if it's a scam or a problem with the software or even paypal. Sign up as a user and purchase the same deal and see what invoice you get.
 
Mark

Mark

Administrator
Staff member
This is caused by the user disabling JavaScript and submitting their own values. This is why we recommend you manually review premium orders.

The next version of premium membership will not be prone to this.



If you have a user trying to cheat you like thus, it makes sense to boot them from your list... They will probably keep trying to cheat your list in other ways
 
Basti

Basti

Administrator
Staff member
Guess part of preventing this, is to add the form elements via ajax ( $.get() html file with the form in it ). If he disables javascript, he dont get a form at all then
 
K

kalle801

Member
To bypass this is very easy, I'll not explain how to do it.
But if u want it secure, just encyript your paypal Code with a php encrypter.
 
Mark

Mark

Administrator
Staff member
kalle801 said:
To bypass this is very easy, I'll not explain how to do it.
But if u want it secure, just encyript your paypal Code with a php encrypter.
Click to expand...
uh no :) that is bad advice, PHP encryption is never a solution to weak security. The user can still pass the exact same post/get values to encrypted code and the exploit will still work.
 
Mark

Mark

Administrator
Staff member
Sorry mate, you are very misinformed, encryption does not protect from data injection at all....ever. And yes it is an exploit, that is the topic of this thread... even with PHP encryption the exact same technique to cheat it still works. Try it if you dont believe me :)

Even with the source code fully visible, the users should never be able to alter the values. You also dont understand that the name of the fields in question do not change when you encrypt code, encryption is to prevent people from stealing your code... NOT to protect from hackers.

The problem is there is no value checked on return or before being sent to paypal, so POST data can be sent to the checkout page with arbitrary values resulting in someone able to buy as many days as they like for 0.01. Even if you encrypt this entire code block it will not make any difference. We simply need to validate the user input better, that is the correct solution.

Please avoid spreading bad advice if you dont really understand what your talking about. You can send people on a wild goose chase and waste too much time.
 
K

kalle801

Member
Just forget this php encrypt idea.
But the link i posted is the Original from Paypal where u can see, how to secure it.
 
Mark

Mark

Administrator
Staff member
No the link you posted is not helpful at all in this case, that has nothing todo with this particular exploit.
 
deeaka

deeaka

New Member
Mark said:
No the link you posted is not helpful at all in this case, that has nothing todo with this particular exploit.
Click to expand...
If you even use inspect element on Chrome and then modify the amount value on the join_premium_review page and the press buy it works. You don't need exploits or any other methods to modify the value. I recommend everyone to manually approve the premium members. It works on 2CO payment method as well. Do not use auto approve for premium members.
 
Mark

Mark

Administrator
Staff member
is that on your site? do you have premium settings configured? or are you trying this on the demo? the dev install?

just a little more information from you would have been nice...
 
You must log in or register to reply here.
Top