Major vulnerability in this module | ww.wp.xz.cn

Resolved dealancer
(@dealancer)

11 years, 8 months ago

Hi, this module does not really check if the payment was really made the Authorize.net. Thus any site that uses this module could be under attack.

Please, see, this blog post for more details.

https://ww.wp.xz.cn/plugins/authorizenet-payment-gateway-for-woocommerce/

Viewing 2 replies - 1 through 2 (of 2 total)

Plugin Author ISHAN VARMA
(@ishanverma)

11 years, 6 months ago

update to v3

Thread Starter dealancer
(@dealancer)

11 years, 6 months ago

Thanks!

It is much better now, however I also suggest to check that an amount coming from POST is the same as an order amount, otherwise there are certain ways to forge an amount or an order ID.

See how the order id / amount is forged for Drupal Commerce module ( and t is fixed now) and the same way it could be done for this module: http://vmirgorod.name/blog/paying-less-more-drupal-commerce-through-authorizenet-simdpm

Viewing 2 replies - 1 through 2 (of 2 total)

The topic ‘Major vulnerability in this module’ is closed to new replies.

2 replies
2 participants
Last reply from: dealancer
Last activity: 11 years, 6 months ago
Status: resolved