Jump to content

Security Alert - Possible CSRF after Paypal directs customers back to my site


Guest
 Share

Recommended Posts

Hi there, 

Previous to my last topic regarding the cross-site forgery request issue. #1637 

I fixed the issue by reinstalling cube cart as after every suggestion it wouldn't let me login to the admin panel. 

Now I am facing the same issue which is frustrating. When I place an order via PayPal (Sandbox) and I am redirected back to my site the CSRF error is shown. I have to manually refresh the page to show the order details. Like previous I have tried a fresh installation of Cubecart without any changes and the same error happens. I have tried clearing all the caches, sessions, clearing my web browser, even tho this error is happening on multiple browsers. I am running the latest PHP version and Latest Cubecart version. I am using the standard Paypal extension plugin. located here https://www.cubecart.com/extensions/payment-gateways/paypal-standard

I have thought well I could add a refresh to the page with php and add this to the redirect page however this defeats the object. I am wondering if the error is something to do with PayPal and the error lies with the token not being passed back correctly. Cubecart is such a good platform aside from these little issues. 

Thankyou in advance

Secuirty Alert Possible CSRF.png

Link to comment
Share on other sites

4 minutes ago, Dirty Butter said:

Have you tried it with Live PP? It will cost you a 30 cent cost for refunding all but that PP fee. But maybe the Sandbox is the issue?????

Was actually just about to try that :)

Tested in Live and still the same issue :(

Just a note as well. I have tried removing the ampersand from the php config file as suggested on a previous post

 

Link to comment
Share on other sites

11 minutes ago, Dirty Butter said:

When you re-did the install did you fix the gateway bug again?

 

Thought that also but no changed that before hand. At the minute im trying to get around it by having a refresh happen on the page as soon as im redirected back to the site!!!

Link to comment
Share on other sites

I'm totally stumped, but my help skills are very limited. Save and rename your .htaccess file. CC will create one again - just on the chance there is something in your file that is corrupting or re-directing the notification from PP.

Is there anything unusual about your install? Like on your own server? Is the store at the root or a subdomain? If subdomain, is there a Wordpress installed at the domain root?

Link to comment
Share on other sites

Tell me about it. I tried what you suggested with the .htaccess file but no luck. However ive fixed the issue with abit of a bodge for now. I have changed the return url in the gateway.class file located in the modules/paypal folder to redirect.php which I created in the root directory. In this file I have a redirect to index.php?_a=complete
This sorts the issue and the CSRF error is never shown just the order confirmation.

I suppose its some sort of a fix :)

 

<?php
echo "<meta http-equiv=\"refresh\" content=\"0;URL=index.php?_a=complete\">";
?>

To rub salt in the wound tho. The payment status is always pending when in fact on PayPals end it is complete

Link to comment
Share on other sites

I just tried accessing my PP IPN info with Chrome, instead of FF, and it works. (Turns out I had the text size big enough to take the Update links off right side.)

Login to your PayPal account and see if everything looks correct here and in the IPN History:

https://www.paypal.com/cgi-bin/customerprofileweb?cmd=_profile-ipn-notify

Link to comment
Share on other sites

1 hour ago, Dirty Butter said:

I just tried accessing my PP IPN info with Chrome, instead of FF, and it works. (Turns out I had the text size big enough to take the Update links off right side.)

Login to your PayPal account and see if everything looks correct here and in the IPN History:

https://www.paypal.com/cgi-bin/customerprofileweb?cmd=_profile-ipn-notify

Yes everything looks correct and im getting the response code 200 and delivery status as sent!

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

×
×
  • Create New...