Stripe Payment

Bug/Vulnerability - Order Submission W/O payment. - Stripe Payment

Bug/Vulnerability - Order Submission W/O payment.

by peterbuzzin » Fri Mar 31, 2023 11:47 am

Hi,

Haven't been that chatty for a while but used to try to contribute a bit back in the day of osC.

We've been having a few problems with orders going through that haven't been paid for. We're still using older versions of osC (pre V4) with some borrowed bits from BS/Phoenix because as a company we've made many customisations/upgrades that will take a while to transition to Phoenix but we still dip in from time to time for the addons. But I can confirm this issue is with Phoenix also.

Stripe SCA uses javascript to prevent submission of the checkout_confirmation.php form to checkout_process.php until it gets a success result from Stripe.

The flaw is that prevention of orders being submitted relies on JavaScript being enabled and/or the existing store JavaScript being without errors and also reliant upon JQuery being successfully loaded from an external source (CloudFlare).

There isn't any frontend code to prevent a submission such as adding a random text input field that's required and also hidden (display:none;). The form would not be able to submit unless the JS populates the field with a value upon successful payment. This itself alone doesn't go far enough to prevent the issue as it's also reliant upon the browser/html being untampered, someone with knowledge could manipulate this either by disabling html form validation or using Developer Tools to manually provide the field with a value.

So now on to server-side validation. There isn't any server-side code within the module to detect whether a submission has actually been paid for or not before sending order confirmation emails.

The moment someone submits the form under the above conditions, checkout_process.php then immediately triggers before_process() method within stripe_sca.php. The only job of before_process() is to execute after_process() which builds/sends the order email and then redirects to the checkout_success.php page.

The matter becomes worse if you have the automated deletion of preparing orders feature active as the prepairing order will be deleted and you'll have no record of this order in admin.

Sorry to be the bearer of bad news but thought it might be helpful to share with you.

If you'd like to replicate this, disable JavaScript within your browser and proceed through the checkout.
peterbuzzin
Posts: 3
Joined: Tue Sep 13, 2022 1:09 pm
Contact:

Re: Bug/Vulnerability - Order Submission W/O payment.

by raiwa » Sat Apr 01, 2023 7:06 am

Hi Peter,

Thank you very much for your insight and report.
I'm not sure if this is a real live issue.
It's supposed that a shop owner checks on stripe side if a payment has been received. In the described scenario there is also no payment confirmation added to the order comments.
In the several years the stripe module has been published, no one has reported any problems like this.
Best wishes
Rainer
Public Phoenix Change Log Cheat Set on Google Sheets
https://docs.google.com/spreadsheets/d/ ... sp=sharing

Need Help?viewtopic.php?f=10&t=27
raiwa
PhoenixCart Developer
PhoenixCart Developer
Posts: 1184
Joined: Sat Dec 21, 2019 8:08 am
Contact:

Re: Bug/Vulnerability - Order Submission W/O payment.

by peterbuzzin » Mon Apr 03, 2023 8:53 am

raiwa wrote: I'm not sure if this is a real live issue.
Rainer
Security and the robustness of code has to be forefront. I can only speak from commercial experience where every/any issue is a real live issue especially when dealing with large numbers (the more activity/orders there are the greater the chance for something like this to happen). Browser configurations vary from user to user, browser updates happen all the time, overzealous firewalls/browser plugins etc. I was certainly surprised when I looked through the code to see there is no server-side validation when browser manipulation is a real thing. I'm pretty sure with this issue I could easily just manually enter the URL for checkout_process.php in the address bar after visiting checkout_confirmation.php and the order emails would go out.
raiwa wrote: It's supposed that a shop owner checks on stripe side if a payment has been received.
Rainer
That's not really a viable option in real world/commercial scenarios. I guess it depends on how Phoenix and/or this addon is supposed to be perceived. If it's just for hobbyist stores that have one or two orders every now and then or there's cron jobs that run EOD reconciliation, I suppose that's ok but if it's intended to work with sales of great volumes (100+ plus a day) then cross checking isn't really an option. I've tried to use that explanation myself in the past it only buys a little time ;)
raiwa wrote: In the described scenario there is also no payment confirmation added to the order comments.
In the several years the stripe module has been published, no one has reported any problems like this.
Rainer
This has already been a real live issue that has been reported to you in 2020 (https://www.oscommerce.com/forums/topic ... nt=1804844), it just never got investigated as Smoky Barnable explained it away as "I think this was caused by a network communication/timeout error since it only happened once in thousands of orders". It's also happened on several of the stores we manage (it's why I'm posting).

It's also embarrassing and worrying for the store owner, their store is sending out emails for orders that haven't been paid for, sometimes they don't even get to know about it until a customer gets in touch asking why their order hasn't been delivered (because the customer thinks they paid for it). In the end the store owner loses confidence in the store and starts to over worry.

I'm certainly not trying to bust your b**ls, please don't think that. I've coded a solution that works fine in one of our development stores, I'm going to be applying it today in production to our clients stores in small batches and see how they get on. I'll post back with the code if everything goes ok and I'll leave it up to you to decide what to do with it. (It will need some tweaking to work with Pheonix but the logic/process is the same)
peterbuzzin
Posts: 3
Joined: Tue Sep 13, 2022 1:09 pm
Contact:

Re: Bug/Vulnerability - Order Submission W/O payment.

by raiwa » Mon Apr 03, 2023 8:58 am

Ok. Thank you. I'll thankful apply your fixes.

But I think we have to distinguish 2 cases:
1. A normal/legal customer will see the alert message that he has javascript disabled and the shop will not work as expected.
2. For a hacker trying to get an order shipped without paying, it will not disturb that he gets the order confirmation mail.

If a stripe orders is registered, the shop operator at least should be alerted when he doesn't see the payment confirmation/details in the order comments.

I understand that you experienced issues, but believe you are the only one who has reported it.
Public Phoenix Change Log Cheat Set on Google Sheets
https://docs.google.com/spreadsheets/d/ ... sp=sharing

Need Help?viewtopic.php?f=10&t=27
raiwa
PhoenixCart Developer
PhoenixCart Developer
Posts: 1184
Joined: Sat Dec 21, 2019 8:08 am
Contact: