Author |
Topic |
|
PabloHoney
Starting Member
Canada
20 Posts |
Posted - February 12 2008 : 12:13:05
|
Hi All,
I am using version 6.5 of vp asp and my payment processor is Payflow Pro. I noticed that there have been a few orders that were denied by Verisgn and the auth code was;
refno= status= aa
I also noticed that there were some successful orders with that same authorization number.
My VP ASP backend does not seperate bad orders from good orders. There have been a few orders that were shipped to customers and we were never paid. This is a problem! Should VP ASP not somehow flag orders as being unsuccessful if the payment doesn't go through?
|
|
devshb
Senior Member
United Kingdom
1904 Posts |
Posted - February 12 2008 : 14:44:36
|
oh dear; looks like a hack; that's one of the signs that someone's used the paypalresult hack against the site; make sure you've got rid of your paypalresult.asp file if you're not using paypal, or plugged the patch that vpasp mention.
then download/use our freebie hack-checker to see if any data's been injected: http://www.bigyellowzone.com/shopexd.asp?id=146
Simon Barnaby Developer [email protected] www.BigYellowZone.com Web Design, Online Marketing and VPASP addons |
|
|
PabloHoney
Starting Member
Canada
20 Posts |
Posted - February 13 2008 : 08:18:19
|
Hi,
I'm sure that this isn't a hack because we only deal with dentists who are members of our organization. Both orders were by people who placed other orders with us afterwards and their second purchases where ok.
I am assuming that if a payment isn't successful then VPASP is supposed to update the database and flag the order as being incomplete or at least unpaid for.
Is this a problem with the software or a settings somewhere?
Thanks, Dean Smith |
|
|
devshb
Senior Member
United Kingdom
1904 Posts |
Posted - February 13 2008 : 08:51:06
|
having your oauthorization field set to a value of aa is definitely a hack; it's one of the signs that we noticed the other day when we did a check/fix service; it's used by hackers to test the vulnerability of the system.
it looks like you've got 2 problems going on; 1 is the fact that a hacker is overwriting all your oath values, and the other is that the payment config options (eg endofordervalidpayments) might not have the correct payflo value in it.
eg, say you had a protx gateway, then the value to put into the endofordervalidpayments config option would be: Protx the gateway will return a specific string which is checked against the list of valid payments in that config option; if it agrees to one of those values then it'll succeed, otherwise vpasp won't consider it valid.
the value that the gateway returns (eg "Protx", or "PayPal" etc) is checked against the validpayments config option, and that value is then put into the ocard column; the ocard column wouldn't have the actual card-type in it after a successful payment, it'd have the gateway string instead.
if a hacker has attacked the oauth values, then they now know that the vulnerability is there for the site and so they know that they can do anything else they want to the database; once they get into the database it's open season for them.
if you're lucky it's just been a simple data injection for a bit of javascript, if you're even luckier they've tested the site but haven't done a full blown hack yet, if you're unlucky, well, you don't even want to know what they could potentially do; it's too scary!
Simon Barnaby Developer [email protected] www.BigYellowZone.com Web Design, Online Marketing and VPASP addons |
Edited by - devshb on February 13 2008 09:07:40 |
|
|
PabloHoney
Starting Member
Canada
20 Posts |
Posted - February 13 2008 : 09:23:39
|
Hi Simon,
First, thanks for the quick replies.
OK, so I updated the code to prevent any SQL Injections but I am still left with the same problem. I just tried to enter an order that I received(the shopper called me and gave me her CC Number and I went online and entered the order through the store). When I finalize the order and enter the Credit Card info I get a card failed message with the error code 12 - Declined.
After the order failed, I logged into the store admin and looked at the order, there is nothing there that lets the user know that the order failed, in this case the oauthorization field is empty but the error isn't saved in the database and this order is displayed with all the other orders.
When a payment fails, I need the order to stand out from the others, I do not want our shipping dept to have to check each order. It would be best if failed orders do not show up on the summary page. Can I assume that every failed order should have a blank oauthorization field? Also, the field oerrors is always blank. Should this field have a value if the transaction fails?
Thanks, Dean Smith |
|
|
devshb
Senior Member
United Kingdom
1904 Posts |
Posted - February 13 2008 : 10:14:42
|
the unpaid orders should be displaying in the admin order-summary page as a different color to the paid ones; in shop$colors.asp there's a setting for the background color to show the unpaid items with:
const ReportdetailRowUnpaid="<tr style=""background-color:#dddddd"">"
it's not necessarily the auth field that it checks on the vpasp side as that's just an info field so you can see what the specific gateway came back with; it's mostly that the ocardtype isn't null and that it matches one of the values in the endofordervalidpayments config options.
the easiest way to set the validpayment config option is to look at what the ocardtypes are for the paid orders.
Simon Barnaby Developer [email protected] www.BigYellowZone.com Web Design, Online Marketing and VPASP addons |
Edited by - devshb on February 13 2008 10:22:32 |
|
|
PabloHoney
Starting Member
Canada
20 Posts |
Posted - February 13 2008 : 10:41:24
|
We use Paypal Payflow Pro and allow our customers to use Visa and Mastercard. With that said, currently the value for endofordervalidpayments is Visa,Mastercard. Is this the correct setting?
Thanks, Dean Smith |
|
|
support
Administrator
4679 Posts |
Posted - February 13 2008 : 20:49:47
|
Hi Dean
If you are having trouble getting this working it may be an idea to post in our help desk so our support crew can investigate directly on your site what is going wrong.
https://www.vpasp.com/virtprog/helpdesk/
Thanks Cam
VP-ASP Support |
|
|
|
Topic |
|