Post on 28-Jun-2020
transcript
NBS System: Advisory on the Magento / PayPal vulnerability 19/04/2012 by Antonin le Faucheux & Philippe Humeau Affected versions: EE pre 1.10.1 & CE pre 1.5, on sites offering PayPal checkout http://www.nbs‐system.co.uk
Vulnerability in Magento's implementation of PayPal
The flaw is related to the way Magento has integrated the PayPal payment gateway. Knowing that both
companies are part of the same group, it may seem a bit weird but this advisory has been tested and
confirmed. Technically speaking, the flaw is both related to PayPal and to Magento. (PayPal not
checking enough, Magento relying on browser side mechanism security)
What is true here for Magento is also quite spread in other framework/sites as well.
One customer alerted us and we investigated the flaw that is detailed in this article. Fortunately, in the
case of this client, he was conducting a manual double check that helped him to mitigate the attack.
Some others were not so wise or lucky.
Why disclose this vulnerability?
Knowing that pirates, crawling Google in search for exploits will fall on this, why take the risk to
publish it ?
The reason is simple: through various sources, we know that this vulnerability is actively exploited
since a while and therefore it represents a real threat. To put it simple: Hackers are already
aware but not the victims, thus keeping it under secrecy mainly profit the bad guys.
The flaw was sent to Magento and has already been corrected in later versions (EE>1.10.1 or
CE> 1.5). Alas, Magento is an adept of "silent patching," which could be translated as "correct security
problems without warning anyone so that everyone believe the garden is perfectly green". So even
if the fault is corrected in the upstream versions, no official release of Magento Inc has been made to
inform its customers that this vulnerability exists and allow them to protect themselves.
The second problem is that the company doesn't release patch for the product, meaning that to correct
it, either you upgrade to a later version (which is never an easy thing for an ecommerce site) or you
patch it yourself. And since Magento is an opensource platform, this is easily doable!
This article aims to explain this vulnerability and propose a solution for owners of vulnerable
websites. The flaw was revealed to us by an EE version customer (which does not want his
name disclosed) and the patch has been developed by the agency DnD (www.dnd.fr).
Exploitation de la faille
Step 1: Place an order
We are on our favorite shop, offering a PayPal checkout and we have put a product in the cart. (this
works also with several items)
(screenshots taken from a french customer website, not translated sorry, but I bet you are pretty
familiar with these screens anyway)
Once we added the product to our cart and chose the delivery method, we reach a total of 132,00€,
VAT included.
Step 2: Interception & modification
Once we validated, we choose PayPal and validate. By actively intercepting the outgoing traffic from
our browser with a BURP proxy, we can watch the content of what is indeed sent to PayPal. In the
traffic, we find a very interesting frame :
This request contains numerous data but the one attracting all our attention is at the end. We can find
there our article price, as a parameter of the request, in clear text: 97,83 €, the VAT rate and the
delivery price.
This data being the one sent from our browser to PayPal, we can temper with the content and
sent altered data and get a "very good discount rate".
By modifying the request parameter, we now have price of 1.5 €, and we set also the delivery price to
0,5 €. 2 € instead of 132 € is an appreciable discount, let's see how the checkout goes:
Ok, no problem, no verification, hence our 2 € allowed us to validate our 132 € valued order. The data
sent from the browser are taken as reliable... Browser side security (especially when not encrypted)
is never safe...
Step 3: Check that Magento has a positive return
Ok, we pay then and let's check what Magento will get as a return from PayPal.
Magento had a go from PayPal, thanks for your business...
In the dashboard, we can see that the order of an amount of 132 € is in processing state. Of course, if
you plugged your site to an automated system to deliver, the packet is already gone.
In the details of the order, we can see that the order show a 132 € amount and not the 2 € really
paid. If you don't manually check every payment before sending the goods, there is no way to detect
the fraud. Some have already lost tens of thousands of goods and maybe more for some others.
Exploiting the flaw really requires only a script kiddy level. Anyone can do it at home, which makes it
even more spread and dangerous.
Now that the fire is in the hole, let's protect the websites!
Patcher la faille
The solution explained here is brought to you by one of the first-in-class Magento Web agency (Agence
DnD, www.dnd.fr) that worked with a customer and PayPal to fix this. The goal is to cipher the
exchange taking place between the browser and the PayPal servers. A general description of the
method can be found on PayPal's website:
https://cms.PayPal.com/fr/cgi-bin/marketingweb?cmd=_render-
content&fli=true&content_ID=developer/e_howto_html_encryptedwebpayments#id08A3I0P0B30
Step 1 : Generating the private key and the public certificate
You can generate your keys online or with the OpenSSL command or using the following website :
http://www.stellarwebsolutions.com/certificates/stellar_cert_builder.php
The OpenSSL CLI or the site will help you generated the required items. (OpenSSL is the safest way if
you execute it in a safe place since you don't have to trust anyone else but you)
Place the files in the folder lib/PayPal of your Magento installation.
PS: it's recommended to add a random prefix to your private key in order to avoid an attacker
guessing/bruteforcing attempt. Check also that your rights & ownership on the file are properly set.
Step 2: Configuring Paypal to use the certificate
(Translated, the exact name of menus can be slightly different)
1. Connect to your PayPal account
2. Go to profile tab
3. In the column "Vendor preferences", click on "Payment Certificates on merchant site"
4. Click on "Add"
5. Click on explore and select your public certificate (ie "12345010577c235ac3b483a40518ghk-
pubcert.pem")
6. Once your public certificate is online, it should appear in the place named « Your public certificates »
7. Keep note of the Cert ID, you'll need it later on
8. Download PayPal public certificate
Step 3: Install the certificate in Magento
1. Place PayPal's public certificate in the folder "lib/PayPal" of your Magento site
2. Edit the file named app/code/local/Mage/PayPal/Block/Standard/Redirect.php and
add the Cert ID that you saw on PayPal's site
Step 4: Check everything is now ok
If we sniff the request again, we now see a totally ciphered content, parameters included. We are not
able anymore to temper with the exchanges between the browser and PayPal's servers.