Guest Posted February 14, 2007 Share Posted February 14, 2007 I'm not sure how this has happened, and I've checked everything I can think of. Here's the story: A few days ago, I had a customer try to make a purchase. Authorize.net declined the card twice. Customer sent me an email asking if he could call with the card detail, after which I wrote back saying that I'd have to run it through the same system. I also mentioned that he could try PayPal, which is more forgiving for address mis-matches, which was why his card was declined. Yesterday, I got the emails for 2 new orders from this same customer, one for a free item and one for a paid item (not the same as he tried purchasing before, but a lower cost one). No payment emails. When I looked in my admin interface at the orders for the day, I saw that both of his orders were marked as "Completed" (I have the auto order complete mod to do this when downloadable orders have been downloaded), including the paid product. My first thought was that maybe the payment gateway failed to send the payment email, so I checked Authorize.net for the transaction. Nothing there. I then checked PayPal to see if maybe the customer switched payment gateways and completed the order there. Still nothing. I also checked my E-Gold account, as that is the only other payment gateway I use. Nothing there either. From here, I considered the possibillity that maybe this person found a security hole in CubeCart, so I searched through the server access logs of the site. I can see this person's IP address, and I can see some activity around the time the order was placed, but there's no record of the order actually being placed. (No record of ANY orders being placed, for that matter - no 'step5' in the whole log (for the month!). I have TraceWatch installed and it recorded the whole order process, including the step5. This makes me wonder if the server logs have been altered.) I can also see where this person downloaded the files with a different IP address, which doesn't show up anywhere else (this person is on dialup - the IP changes each time he logs in). I also didn't see anything that looked like an injection hack. Considering that I know the half dozen people that have websites on my server, I don't suspect any cross site scripting, but I'm thinking that's the only possibility left. My question is this: Does anyone know what might have happened here? And how can we prevent it from happening again? Quote Link to comment Share on other sites More sharing options...
Guest trochia Posted February 15, 2007 Share Posted February 15, 2007 I can also see where this person downloaded the files with a different IP address, which doesn't show up anywhere else (this person is on dialup - the IP changes each time he logs in). The exact same files?.. Very strange Jim Quote Link to comment Share on other sites More sharing options...
Guest Posted February 15, 2007 Share Posted February 15, 2007 Hi Jim, I guess I wasn't clear enough. The order was placed with one IP and downloaded with a different IP. The files were downloaded only once. Here's the update. After thinking about this, I realized that if this person found a loophole in the system, I should just go ahead and let him have whatever products he wants for the information. After all, they're digital and won't cost me anything extra to produce. So I wrote him a note saying that I didn't understand what happened, that I see where he's been able to download the product, but I see no record of a payment, and if he's found a hole in the system I'd gladly give him a copy of everything for the information. The customer wrote back with a description of what he did, and offering to pay for the product. In essence, due to switching to a new skin, and forgetting about some modifications I did to the last one, the manual payment page (for Authorize.net) didn't have a clearly visible 'Submit' button, so he filled out the form and hit the Enter key on his keyboard. That's it! After querying about his OS and browser, I found that he uses Windows and Firefox with no special settings. With his willingness to complete a payment for the item, I am hesitant to think of this as a 'hack', yet I have had others complete the Authorize.net payment process since the new skin was installed. I'm still not sure why there wasn't any record of a 'step5' in the server logs, or why his order was set to 'Processed' instead of 'Pending' as several others have been, including the order this same customer tried placing several days ago. I guess at this point I have to consider this a very weird glitch in the system and hope that it doesn't happen again. If it does, then maybe we'll have additional information to track down the cause. Quote Link to comment Share on other sites More sharing options...
convict Posted February 17, 2007 Share Posted February 17, 2007 Alan I sent you an explanation + fix via PM. State update to FALSE is the quickest but uncomfortable solution. Have fun! BTW maybe time to write a list of NON RECOMENDED cc3 built-in payment gateways on store selling digital goods. This is an example: Authorize AIM PayPal Standard PayPal PRO PayPal Express Checkout . . . . and moooore DO NOT ADD PAYMENT PROCESSOR NAME to its description area, this is highly recomended. Quote Link to comment Share on other sites More sharing options...
Guest Posted February 17, 2007 Share Posted February 17, 2007 You are a coding GOD, Milos! I've installed your fix and tested as you suggested and it works as promised. You mentioned several other gateways as well. Are there ways to fix those as well? Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.