Multiple PHP Toolkit for PayPal Vulnerabilities

Type securityvulns
Reporter Securityvulns
Modified 2006-01-12T00:00:00


Vendor: Patrick Breitenbach and Dave Nielsen [] Versions affected: PHP Toolkit for PayPal v0.50 (and may be prior) Date: 12th January 2006 Type of Vulnerability: Sensitive Information Disclosure and Payment System Bypass Severity: Critical Solution Status: Unpatched Vendor was notified on 9th January 2006 without answer

Discovered by: .cens, uinC Team Online location:

Background: >From vendor web-site: "The PHP Toolkit provides a set of scripts that faciliatate the integration of PayPal into an ecommerce service. It provides scripts that generate a PayPal form dynamically as well as scripts to process Instant Payment Notifications."

Description: 1) Payment System Bypass If the payment through was completed successfully, payment data is transferred to ipn.php, which in turn executes ipn_success.php, passing it the parsed payment data as parameters using POST request. ipn_success.php will enter the passed data straight into log file without verifying where this data came from. This means, an attacker can reproduce the POST request and enter the details of the successful payment into the log file even if there was no payment through

2) Sensitive Information Disclosure PHP Toolkit for PayPal vendor documentation recommends to set permissions for the "logs" directory "../ipn/logs/" to 777. Data from ipn_success.php suggests that the payment data log file is "logs/ipn_success.txt", which, if installed according to documentation, will have global read permission. As a result, anyone is able to view the transaction data.