New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Jarland is stupid
This was a post warning providers about a WHMCS exploit with the PayPal module. The exploit doesn't exist. If it does, I didn't run into it. More in replies.
Comments
Why would you post this publicly though before a patch is available? That's not responsible reporting.
Because providers can mitigate it and I can't prove how it's accomplished, meaning I can't provide useful information to the developers.
If this exposed client data I might react differently.
Drop this in /modules/gateways/callback/.htaccess to mitigate:
I know they have other IPs, but I have no recent record of other ranges being used for IPN recently. Compare your logs to see if your dice roll offers a different result.
This should help to whitelist only paypal ipn ips(Check if your ipn callback url is correct).
ips are taken from : https://www.paypal.com/us/smarthelp/article/what-are-the-ip-addresses-for-live-paypal-servers-ts1056
Corrections are welcome.
I wonder if this affects the new WHMCS Paypal gateway module since it supposedly does not rely on IPNs.
WHMCS needs to put their **t back together.
They are having continuous issues with their 2Checkout module for more than a year now. Every fix breaks something new.
If you hear anything positive, please do not forget to share.
Edit: Removed for now. I think I'm missing something.
That's really bad news. The odds of them using your services for illegal activity is very high too.
Get ready to crucify me:
All payments made with CoinPayments are currently logged as PayPal in the database, and it's throwing off my audit, and it made me see an exploit that wasn't there.
I'll take my lashings, but I'm going to need a red bull first.
2 lucky guys are getting 1 year of free service
I'm guessing this is something I did when switching away from Coinpayments to Coinbase Commerce. I never expected existing transactions to be re-labeled as PayPal payments.
If that's your definition of stupid, I'll trade places with you any day of the week. I wish my stupidity was only things like this.
In all seriousness.. you acknowledged your mistake -- and more importantly, revised the thread title to make sure the mentioned party didn't get any negative SEO from this.
The only real mistake is not owning up.
I popped so much popcorn, but now have no reason to eat it.
I do have a new complaint but it's much more tame. Now all transactions made with coinpayments are marked as PayPal. I thought it would just update the payment gateway on the product pages, not rewrite financial history...
hmm
And you haven't discovered what you don't know (yet)...
Thanks @jar for updating the community btw I think here is list of all PayPal IP https://www.paypal.com/us/smarthelp/article/what-are-the-ip-addresses-for-live-paypal-servers-ts1056
This should help, we implemented these rules via CloudFlare and our website and portal are not accessible unless it proxied via CloudFlare so most likely it should cover it
66.211.168.0/22 173.0.80.0/20 64.4.240.0/21 these 3 blocks covers almost all of them ipn as well as notify IP ranges
I thought you just made other exploiter to use the exploit but luckily you have revised it.
Thank you @jar
Bah.. @jar , you know that people take you seriously here.
Offtop. Guys in percent value of total orders, how many clients use crypto? Still around 1-2%, while 98% traditional payments like PayPal or credit cards ? or more?
@jar
"Jarland is stupid"
No, the evidence provided is utterly insufficient, hence -> assertion rejected.
When you shitpost about someone you should at least tag him @Jarland
Oh wait ...
We used to work together, unless you've had a serious accident, you ain't stupid
Just a little early to call it, but that's why you get more eyes on it, anyway.
Keep on keeping on, man
WHMCS really isn't verifying PayPal's IPN requests? that's literally the first thing you do when integrating it, you verify if the requests are really coming from PayPal .
There is no need to whitelist IPs and WHMCS is probably verifying all messages.
https://developer.paypal.com/docs/api-basics/notifications/ipn/IPNIntro/
sisters for @jar please
This design is sound. It can be compromised only if the adversary breaks both DNS and TLS.
It can be simpilified though: PayPal could place a signature on the message and the listener can validate it against PayPal's public key.
This is likely what the PayPal validation endpoint is doing, so that the listener doesn't need to implement public key validation.
This will re stock ? https://portal.mxroute.com/cart.php?a=add&pid=108
It will not. I was just going to let it run until it sold out, but frankly I've had enough of people from China signing up with fake identities to try to order it.
I wish I was kidding or that it were a mix of different scenarios, but instead it was literally just people from China making up to 5 different accounts in a row every single time, each with different fake identities, until one got through maxmind.