Validation Bypass

2014-12-03T13:00:00
ID NODEJS:26
Type nodejs
Reporter Martin Angelov
Modified 2018-05-08T14:27:02

Description

Overview

Versions 2.x.x and earlier of paypal-ipn are affected by a validation bypass vulnerability.

paypal-ipn uses the test_ipn parameter (which is set by the PayPal IPN simulator) to determine if it should use the production PayPal site or the sandbox.

A motivated attacker could craft a request string using the simulator to fool the application into entering the sandbox mode, potentially allowing purchases without valid payment.

Recommendation

Upgrade to version 3.0.0 or later.

References

Issue #11