Paypal payment security concern

[hpl123]

Hi support / all,
I intended to use Paypal payments for a project in Aware and when fiddling with difficulties with the return URL, I discovered a security issue which renders the current Paypal solution in Aware useless for me and sharing it here to hopefully get support to change it and make it secure and also to inform others that may be using it. The problem is, with the current setup in Aware it is not possible to change the return url in any way so the current Aware/Paypal integration use a default one that basically is: http://www.mydomain.com:8080/app/req.aw ... CCESS=true for successful payments OR http://www.mydomain.com:8080/app/req.aw ... CESS=false for errors or cancellations in payment. The problem is, anyone can manually type in the success return url BEFORE the payment has been made, fooling Aware (and the app owner etc.) into thinking the payment was successful.

Here are the steps to reproduce:
1. Open up Library sample application and make sure it´s initialized and a Paypal account email is set
2. Start the MakePayment process and add 1 dollar or so in the form
3. Start the make payment procedure (the payment is not made automatically) after which you are directed to the Paypal website where you are intended to log in
4. Don´t login but instead paste the return url in the adress bar e.g http://www.mydomain.com:8080/app/req.aw ... CCESS=true
5. The paypal browser window/tab is closed and you are directed back to Aware where you will get the successful payment notification

Ideally we need the option to set custom return success and failure URLs and we could then add some things to the url like invoice ID or whatever other parameter indicating in part the state of the payment and also hide or make difficult to forge the status update.

[aware_support]

Aware IM does provide a number of custom fields in the URL, which you are omitting in your bug report. So we are not exactly sure how to reproduce the problem, since you are providing partial URL's only.

[hpl123]

From the testing I did, it was not possible to use custom fields in the Aware/Paypal solution. Does this work, if so how?

[aware_support]

I am not talking about user defined custom fields, I am talking about some special id's that get sent through the URL. You are not providing full URL's in your report so it's not clear how to reproduce the problem.

[hpl123]

Not really sure what you mean. If you follow the steps outlined in my report you will experience this bug.

[aware_support]

This is the URL you are referring to in your bug report:
http://www.mydomain.com:8080/app/req.aw ... CCESS=true

This is not a complete URL - note ellipsis in the middle. The real URL has some custom parameters there.

[Jaymer]

Henrik,
post the URL inside a

Code: Select all

 block

[hpl123]

Well, if you hover over the url, rightclick and copy or right click and open url you will see the whole url. The whole url is typed in the forum text, the forum software condense the VIEWING part but the whole url is still there.

Is this better?:

Code: Select all

http://www.mydomain.com:8080/app/req.awurl?BAS_SUCCESS=true

[aware_support]

This should be fixed in build 2922

[hpl123]

Awesome, thanks