ByPassing Payment Hack

[inspireme]

I run a completely paid general directory, today i got 4 links in my pending section, i knew these weren't paid so i assumed they were just updates and approved them all. I later noticed ont he main page it was marked as a "new listing"

I know indexU should mark them as suspended if they are added and not paid for, so i spent a few hours today working out how they managed to submit sites to my directory. I have found how this is done, and although only tech-savy people will do this i feel it should be corrected. I wont give details of this here because it will probably make matters worse, but everybody please be a bit more careful about approving sites in your pending lsit as this is already being exploited.

I havent tried yet, but it could also be possible to get the link added without you even knowing, or even more likely get a sponsored listign for free (still in your pending section though)

I would be interested if anybody runs a paid directory if they would let me try and add a site to their pending list - I obviously will add real data and not spam, you can reject or decline it - just want to try doing it across servers.

Only relevant for people running 100% paid directories.

[Bruceper]

I don't think it should be kept a secret. If there is a bug then let Dody know about it so he can look into it, but I suspect it's not a bug.

The easiest way to bypass the payment mechanism is probably to fake the referrer and send the string as if it were a completed payment. This is typical of many payment systems that do not use a unique code during the postback (such as IPN). OSCommerce has the same issue with Paypal btw.

The http_referer is easy to fake, and since they already visited your site they know what data is being sent out in the POST string.

The above is not a limitation of IndexU nor of most online payment services. It is a lack of security in protocols and postback verification.

While users should always confirm payments, IndexU may bring one flaw to the picture which I haven't checked out. When a paid link is added and payment successfully made, the link is added to the directory. As far as I know there is no Admin or Editor action required, it is simply added without your konwledge.

So a directory may have a number of "paid" ads that aren't really paid and you wouldn't know about it.

I don't use any payment modules that have postback modules so I can't test any of this out.

If you have found something more than this please let us know. I'd be interested in hearing what you have found.

[inspireme]

Peopel are jsut converting the select drop down menus to text fields, (by creating a copy of the add page on own server, or using a browser plug-in. They can then alter the price to 0 - and get the listing on the pending list instead of suspended (for people who have paid basic listings)

They can also set the price to $1 and get a huge reduction on sponsored listings, or increase period of time the listing is sponsored. Some check should be done server side ot make sure prices match up before sending it to paypal (i never checked this but it seems it would work from what i looked at)

[FSGDAG]

I dont run pure paid directories, but I can give you what ever web space you might want in order to test... I'd be happy to offer whatever was needed in order to ensure IndexU is at the highest standard

PM me if your interested!

[Bruceper]

That was a common issues years ago and still exists.

Making local copies of files and using those to submit forms is an old "trick". Of course the way around that is to ensure that all POST's are received from the proper domain. People used to use these types of forms to send spam.

Now that can be tricked too, but it's just not as easy.

[inspireme]

you dont need to do that though you can just change selects to text fields and get cheap sponsored listings. people are doing this on my directory, others must be having the same thing. you need a price check to make sure the POST from the form = the same as it should be before proceeding.

[inspireme]

Code:

Content visible to License Owner only.

do you offer sponsored listings on your directories? would like to see if i can get a sponsored listing for $1 - i cant pay myself to test this using paypal! This is the worst case as i could, within 20seconds, get unlimited time period and sponsored listing for $1 - it would automatically be added to the site.

Webmaster would be alerted with such small payment, but if your clever you could get away with this, especially by adjusting the time period and paying the same - i could get 10 years for the price of 1 and it would be very hard to detect.

PM the link if you dont mind me trying

[inspireme]

Ok well a few people sent PMs to me and i have got a sponsored listing for $1, instead of $35 by a simple 10second hack on one of the sites. Oddly the other site someone offered i tested seems not to let me change the price, although i did add a free listing which should have cost me.

Just to clarify :

Anyone can get the most expensive listing you offer for $1, and for an unlimited length of time, it has no approval needed and is added directly to the site. The scammer would need to pay some money otherwise the listing goes to pending queue, if they pay $1 its a successful transaction and it goes online. Obviously a webmaster would notice the odd payment, so i think most would pay for the cheapest and upgrade themselves sneakily for a longer period of time/ sponsored instead of basic to avoid detection.

If you run a paid directory you can get a listing in the pending queue without needing to pay anything. As listings usually go into the suspended if not paid for, this probably means you will approve them thinking they are just updates.

The Solution :
A section of php should take the link period (passed by form) and see what hte listing type is (again passed by the form) the code will then lookup in the application file to work out the price, this should be compared to the price passed by the form, and if they dont match it should forwarded to a "dont scam us" template.

This is a well known hack i suppose, but its worrying that people are starting to do it on my site - I have had 10 submissions that have been put into my pending queue without the $15 payment, although nobody has yet done the worst case scenario of paying me a small amount and getting a lot more than they paid for.

How its done :
probably best if you PM if you need to know.

[FSGDAG]

Well... Inspiremen is right... He was able to get a sponsored listing on my site for $1.00 which is normally 19.99, and for lifetime, which is normally 1 year.

This needs to be addressed... Its not good this happens

[tdz]

Here is the way I used to fix that problem in my dir.

In add.php search for:

Code:

Content visible to License Owner only.

add below:

Code:

Content visible to License Owner only.

Search for:

Code:

Content visible to License Owner only.

replace with:

Code:

Content visible to License Owner only.

If is there a beter way to do this please let me know.

Thanks for reporting this problem.

[inspireme]

ok well that explains why it doesnt work on your directory good job - you can still get a listing into the pending queue and bypass payment though, if you have a look their is a section of code thats says if listing price = 0 this code causes the lsiting to be added straight to pending, so if anyone tried to change the price to zero it causes the listing to bypass payment, and your checks, and goes to the pending queue.

If you run a completly paid directory, you could jsut remove the whole section, or echo ("dont cheat me") in this section, fr anyone else who does allow fre submissions this isnt even a problem.

thanks for the fix.

[esm]

Code:

Content visible to License Owner only.

You could try testing the HTTP_REFERER variable to see if the submission is coming from your website.



.

[dody]

@tdz
Thank you for the fix code, i borrow your idea which checking price (the codes are taken from ajax.php). I make it more general for all users, specially the last part which checking periods. I check the possible value combination, if doesn't match then just exit without any warning.

Code:

Content visible to License Owner only.

Full code changes are here:
http://nicecoder.com/svn/index.php?act=changeset&id=520

[! Ask !]

Full code changes are here:
http://nicecoder.com/svn/index.php?act=changeset&id=520

I can't access!

[Bruceper]

Enter your email address and license number if I remember right to access that area.