VP-ASP :: Shopping Cart Software

Shopping Cart Software Solutions for anywhere in the World

US/Canada(Toll Free): +1 888 587 2278
Europe/UK: +44 (020) 7193 9408
Australia/New Zealand: +61 3 9016 4497

VP-ASP Shopping Cart Customer Forum

Home | Profile | Register | Active Topics | Members | Search | FAQ
Username:
Password:
Save Password
Forgot your Password?

 All Forums
 VPCart Forum
 Electronic Gateways
 Failed Orders
 New Topic  Reply to Topic
 Printer Friendly
Author Previous Topic Topic Next Topic  

PabloHoney
Starting Member

Canada
20 Posts

Posted - February 12 2008 :  12:13:05  Show Profile  Reply with Quote
Hi All,

I am using version 6.5 of vp asp and my payment processor is Payflow Pro. I noticed that there have been a few orders that were denied by Verisgn and the auth code was;

refno= status= aa

I also noticed that there were some successful orders with that same authorization number.

My VP ASP backend does not seperate bad orders from good orders. There have been a few orders that were shipped to customers and we were never paid. This is a problem!

Should VP ASP not somehow flag orders as being unsuccessful if the payment doesn't go through?

devshb
Senior Member

United Kingdom
1898 Posts

Posted - February 12 2008 :  14:44:36  Show Profile  Visit devshb's Homepage  Reply with Quote
oh dear; looks like a hack; that's one of the signs that someone's used the paypalresult hack against the site; make sure you've got rid of your paypalresult.asp file if you're not using paypal, or plugged the patch that vpasp mention.

then download/use our freebie hack-checker to see if any data's been injected:
http://www.bigyellowzone.com/shopexd.asp?id=146

Simon Barnaby
Developer
[email protected]
www.BigYellowZone.com
Web Design, Online Marketing and VPASP addons
Go to Top of Page

PabloHoney
Starting Member

Canada
20 Posts

Posted - February 13 2008 :  08:18:19  Show Profile  Reply with Quote
Hi,

I'm sure that this isn't a hack because we only deal with dentists who are members of our organization. Both orders were by people who placed other orders with us afterwards and their second purchases where ok.

I am assuming that if a payment isn't successful then VPASP is supposed to update the database and flag the order as being incomplete or at least unpaid for.

Is this a problem with the software or a settings somewhere?

Thanks,
Dean Smith
Go to Top of Page

devshb
Senior Member

United Kingdom
1898 Posts

Posted - February 13 2008 :  08:51:06  Show Profile  Visit devshb's Homepage  Reply with Quote
having your oauthorization field set to a value of aa is definitely a hack; it's one of the signs that we noticed the other day when we did a check/fix service; it's used by hackers to test the vulnerability of the system.

it looks like you've got 2 problems going on; 1 is the fact that a hacker is overwriting all your oath values, and the other is that the payment config options (eg endofordervalidpayments) might not have the correct payflo value in it.

eg, say you had a protx gateway, then the value to put into the endofordervalidpayments config option would be:
Protx
the gateway will return a specific string which is checked against the list of valid payments in that config option; if it agrees to one of those values then it'll succeed, otherwise vpasp won't consider it valid.

the value that the gateway returns (eg "Protx", or "PayPal" etc) is checked against the validpayments config option, and that value is then put into the ocard column; the ocard column wouldn't have the actual card-type in it after a successful payment, it'd have the gateway string instead.

if a hacker has attacked the oauth values, then they now know that the vulnerability is there for the site and so they know that they can do anything else they want to the database; once they get into the database it's open season for them.

if you're lucky it's just been a simple data injection for a bit of javascript, if you're even luckier they've tested the site but haven't done a full blown hack yet, if you're unlucky, well, you don't even want to know what they could potentially do; it's too scary!

Simon Barnaby
Developer
[email protected]
www.BigYellowZone.com
Web Design, Online Marketing and VPASP addons

Edited by - devshb on February 13 2008 09:07:40
Go to Top of Page

PabloHoney
Starting Member

Canada
20 Posts

Posted - February 13 2008 :  09:23:39  Show Profile  Reply with Quote
Hi Simon,

First, thanks for the quick replies.

OK, so I updated the code to prevent any SQL Injections but I am still left with the same problem. I just tried to enter an order that I received(the shopper called me and gave me her CC Number and I went online and entered the order through the store). When I finalize the order and enter the Credit Card info I get a card failed message with the error code 12 - Declined.

After the order failed, I logged into the store admin and looked at the order, there is nothing there that lets the user know that the order failed, in this case the oauthorization field is empty but the error isn't saved in the database and this order is displayed with all the other orders.

When a payment fails, I need the order to stand out from the others, I do not want our shipping dept to have to check each order. It would be best if failed orders do not show up on the summary page. Can I assume that every failed order should have a blank oauthorization field? Also, the field oerrors is always blank. Should this field have a value if the transaction fails?

Thanks,
Dean Smith
Go to Top of Page

devshb
Senior Member

United Kingdom
1898 Posts

Posted - February 13 2008 :  10:14:42  Show Profile  Visit devshb's Homepage  Reply with Quote
the unpaid orders should be displaying in the admin order-summary page as a different color to the paid ones; in shop$colors.asp there's a setting for the background color to show the unpaid items with:

const ReportdetailRowUnpaid="<tr style=""background-color:#dddddd"">"


it's not necessarily the auth field that it checks on the vpasp side as that's just an info field so you can see what the specific gateway came back with; it's mostly that the ocardtype isn't null and that it matches one of the values in the endofordervalidpayments config options.

the easiest way to set the validpayment config option is to look at what the ocardtypes are for the paid orders.


Simon Barnaby
Developer
[email protected]
www.BigYellowZone.com
Web Design, Online Marketing and VPASP addons

Edited by - devshb on February 13 2008 10:22:32
Go to Top of Page

PabloHoney
Starting Member

Canada
20 Posts

Posted - February 13 2008 :  10:41:24  Show Profile  Reply with Quote
We use Paypal Payflow Pro and allow our customers to use Visa and Mastercard. With that said, currently the value for endofordervalidpayments is Visa,Mastercard. Is this the correct setting?

Thanks,
Dean Smith
Go to Top of Page

support
Administrator

4266 Posts

Posted - February 13 2008 :  20:49:47  Show Profile  Visit support's Homepage  Reply with Quote
Hi Dean

If you are having trouble getting this working it may be an idea to post in our help desk so our support crew can investigate directly on your site what is going wrong.

https://www.vpasp.com/virtprog/helpdesk/

Thanks
Cam

VP-ASP Support
Go to Top of Page
  Previous Topic Topic Next Topic  
 New Topic  Reply to Topic
 Printer Friendly
Jump To:
Snitz Forums 2000