Is this paypal IPN script vulnerable to exploit?
Results 1 to 2 of 2

Thread: Is this paypal IPN script vulnerable to exploit?

  1. #1
    Senior Member
    Join Date
    Apr 2003
    Location
    Silver Lake
    Posts
    4,842

    Is this paypal IPN script vulnerable to exploit?

    I recently ran across a PHP script that handles IPN notifications from Paypal. It looks a bit dodgy to me:
    PHP Code:
    // STEP 1: Read POST data
    // reading posted data from directly from $_POST causes serialization 
    // issues with array data in POST
    // reading raw POST data from input stream instead. 
    $raw_post_data file_get_contents('php://input');
    $raw_post_array explode('&'$raw_post_data);
    $myPost = array();
    foreach (
    $raw_post_array as $keyval) {
        
    $keyval explode('='$keyval);
        if (
    count($keyval) == 2)
            
    $myPost[$keyval[0]] = urldecode($keyval[1]);
    }
    // read the post from PayPal system and add 'cmd'
    $req 'cmd=_notify-validate';
    if (
    function_exists('get_magic_quotes_gpc')) {
        
    $get_magic_quotes_exists true;
    }
    foreach (
    $myPost as $key => $value) {
        if (
    $get_magic_quotes_exists == true && get_magic_quotes_gpc() == 1) {
            
    $value urlencode(stripslashes($value));
        } else {
            
    $value urlencode($value);
        }
        
    $req .= "&$key=$value";
    }


    // STEP 2: Post IPN data back to paypal to validate

    $ch curl_init($paypal_url);
    curl_setopt($chCURLOPT_HTTP_VERSIONCURL_HTTP_VERSION_1_1);
    curl_setopt($chCURLOPT_POST1);
    curl_setopt($chCURLOPT_RETURNTRANSFER1);
    curl_setopt($chCURLOPT_POSTFIELDS$req);
    curl_setopt($chCURLOPT_SSL_VERIFYPEER1);
    curl_setopt($chCURLOPT_SSL_VERIFYHOST2);
    curl_setopt($chCURLOPT_FORBID_REUSE1);
    curl_setopt($chCURLOPT_HTTPHEADER, array('Connection: Close'));

    // In wamp like environments that do not come bundled with root authority certificates,
    // please download 'cacert.pem' from "http://curl.haxx.se/docs/caextract.html" and set the directory path 
    // of the certificate as shown below.
    // curl_setopt($ch, CURLOPT_CAINFO, dirname(__FILE__) . '/cacert.pem');
    if (!($res curl_exec($ch))) {
        
    // error_log("Got " . curl_error($ch) . " when processing IPN data");
        
    curl_close($ch);
        exit;
    }
    curl_close($ch); 
    Firstly, I'm wondering why it tries to get raw post data from php://input. Secondly, it seems poorly designed in that it checks get_magic_quotes_gpc() for each loop iteration, but lastly and most disturbingly, it would appear that one might be able to POST some data to this script that would in turn POST any data we like back to the paypal gateway, thereby executing some arbitrary gateway command. This might be accomplished by putting a 'cmd=some_other_command' string in one's POST data. Am I imagining this hole exists?

    I realize that the script does not seem to reveal (or utilize) any paypal credentials except what is in the POST data, but it still seems pretty weird to me.
    IMPORTANT: STOP using the mysql extension. Use mysqli or pdo instead.
    World War One happened 100 years ago. Visit Old Grey Horror for the agony and irony.

  2. #2
    Senior Member traq's Avatar
    Join Date
    Jun 2011
    Location
    so.Cal
    Posts
    949
    That's actually a verbatim copy of paypal's sample PHP script.

    To answer specifics:

    No vulnerability. IPN isn't exactly part of the payment authorization process, it just notifies you of the success/failure of a payment started on your site.

    1) you send user to paypal
    2) paypal posts to your site with a token and some other junk
    3) your site posts the **exact same information** back to paypal to acknowledge
    4) paypal acknowledges your acknowledgement and shares transaction details
    5) hunky-dory

    So, if you changed one of the params, paypal would simply abort. IPN is more a protection for *you* than the user (i.e., to make sure the payment was successful and the user didn't mess with the qty/price in the PayPal button) before sending off merchandise on the assumption (hope?) that it was actually paid for.

    ------------------

    Don't know why they choose to use php://input. PayPal's previous example used fputs() and fgets().

    ------------------

    Yes, it does seem badly designed in that it checks magic quotes for each iteration of the loop.
    Of course, there wouldn't be any need to check, if everyone were running 5.4.
    Last edited by traq; 02-09-2013 at 01:34 AM.

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •