Vendor: Patrick Breitenbach and Dave Nielsen [http://paypal.sf.net/] Versions affected: PHP Toolkit for PayPal v0.50 (and may be prior) Date: 12th January 2006 Type of Vulnerability: Sensitive Information Disclosure and Payment System Bypass Severity: Critical Solution Status: Unpatched Vendor was notified on 9th January 2006 without answer
Discovered by: .cens, uinC Team Online location: http://www.uinc.ru/articles/vuln/ptpaypal050.shtml
Background: >From vendor web-site: "The PHP Toolkit provides a set of scripts that faciliatate the integration of PayPal into an ecommerce service. It provides scripts that generate a PayPal form dynamically as well as scripts to process Instant Payment Notifications."
Description: 1) Payment System Bypass If the payment through PayPal.com was completed successfully, payment data is transferred to ipn.php, which in turn executes ipn_success.php, passing it the parsed payment data as parameters using POST request. ipn_success.php will enter the passed data straight into log file without verifying where this data came from. This means, an attacker can reproduce the POST request and enter the details of the successful payment into the log file even if there was no payment through PayPal.com
2) Sensitive Information Disclosure PHP Toolkit for PayPal vendor documentation recommends to set permissions for the "logs" directory "../ipn/logs/" to 777. Data from ipn_success.php suggests that the payment data log file is "logs/ipn_success.txt", which, if installed according to documentation, will have global read permission. As a result, anyone is able to view the transaction data.