Jarland is stupid

jar

This was a post warning providers about a WHMCS exploit with the PayPal module. The exploit doesn't exist. If it does, I didn't run into it. More in replies.

mmuyskens

Why would you post this publicly though before a patch is available? That's not responsible reporting.

jar

@mmuyskens said:
Why would you post this publicly though before a patch is available? That's not responsible reporting.

Because providers can mitigate it and I can't prove how it's accomplished, meaning I can't provide useful information to the developers.

If this exposed client data I might react differently.

Drop this in /modules/gateways/callback/.htaccess to mitigate:

< Files paypal.php >
Order deny,allow
Deny from all
Allow from 66.211.168.0/22
Allow from 173.0.80.0/20
< /Files >

I know they have other IPs, but I have no recent record of other ranges being used for IPN recently. Compare your logs to see if your dice roll offers a different result.

niceboy

This should help to whitelist only paypal ipn ips(Check if your ipn callback url is correct).

RewriteEngine on
RewriteCond %{REQUEST_URI} ^(/modules/gateways/callback/paypal.php).*$
RewriteCond %{REMOTE_ADDR} !=66.211.170.66
RewriteCond %{REMOTE_ADDR} !=173.0.81.*
RewriteRule ^.*$ / [F]

ips are taken from : https://www.paypal.com/us/smarthelp/article/what-are-the-ip-addresses-for-live-paypal-servers-ts1056

Corrections are welcome.

Boltersdriveer

I wonder if this affects the new WHMCS Paypal gateway module since it supposedly does not rely on IPNs.

MechanicWeb

WHMCS needs to put their **t back together.

They are having continuous issues with their 2Checkout module for more than a year now. Every fix breaks something new.

If you hear anything positive, please do not forget to share.

jar

Edit: Removed for now. I think I'm missing something.

NoComment

@jar said: So far I've found 318 transactions that are suspect.

That's really bad news. The odds of them using your services for illegal activity is very high too.

jar

Get ready to crucify me:

All payments made with CoinPayments are currently logged as PayPal in the database, and it's throwing off my audit, and it made me see an exploit that wasn't there.

I'll take my lashings, but I'm going to need a red bull first.

vovler

2 lucky guys are getting 1 year of free service

jar

I'm guessing this is something I did when switching away from Coinpayments to Coinbase Commerce. I never expected existing transactions to be re-labeled as PayPal payments.

DA_Mark

@jar said:
Get ready to crucify me:

All payments made with CoinPayments are currently logged as PayPal in the database, and it's throwing off my audit, and it made me see an exploit that wasn't there.

I'll take my lashings, but I'm going to need a red bull first.

If that's your definition of stupid, I'll trade places with you any day of the week. I wish my stupidity was only things like this.

In all seriousness.. you acknowledged your mistake -- and more importantly, revised the thread title to make sure the mentioned party didn't get any negative SEO from this.

The only real mistake is not owning up.

qps

I popped so much popcorn, but now have no reason to eat it.

jar

I do have a new complaint but it's much more tame. Now all transactions made with coinpayments are marked as PayPal. I thought it would just update the payment gateway on the product pages, not rewrite financial history...

MikeA

@jar said:
I thought

hmm

WHMCS said:
we didn't

nullnothere

@jar said: rewrite financial history

And you haven't discovered what you don't know (yet)...

HostEONS

Thanks @jar for updating the community btw I think here is list of all PayPal IP https://www.paypal.com/us/smarthelp/article/what-are-the-ip-addresses-for-live-paypal-servers-ts1056

This should help, we implemented these rules via CloudFlare and our website and portal are not accessible unless it proxied via CloudFlare so most likely it should cover it

66.211.168.0/22 173.0.80.0/20 64.4.240.0/21 these 3 blocks covers almost all of them ipn as well as notify IP ranges

Fritz

I thought you just made other exploiter to use the exploit but luckily you have revised it.

XiNiX

Thank you @jar

Saahib

Bah.. @jar , you know that people take you seriously here.

desperand

Offtop. Guys in percent value of total orders, how many clients use crypto? Still around 1-2%, while 98% traditional payments like PayPal or credit cards ? or more?

jsg

@jar

"Jarland is stupid"

No, the evidence provided is utterly insufficient, hence -> assertion rejected.

Neoon

default

ben47955

Jarland is stupid

When you shitpost about someone you should at least tag him @Jarland
Oh wait ...

jlay

We used to work together, unless you've had a serious accident, you ain't stupid

Just a little early to call it, but that's why you get more eyes on it, anyway.

Keep on keeping on, man

Kassem

WHMCS really isn't verifying PayPal's IPN requests? that's literally the first thing you do when integrating it, you verify if the requests are really coming from PayPal .

The IPN message authentication protocol consists of four steps:

PayPal HTTPS POSTs an IPN message to your listener that notifies it of an event.
Your listener returns an empty HTTP 200 response to PayPal.
Your listener HTTPS POSTs the complete, unaltered message back to PayPal; the message must contain the same fields (in the same order) as the original message and be encoded in the same way as the original message.
PayPal sends a single word back - either VERIFIED (if the message matches the original) or INVALID (if the message does not match the original).

There is no need to whitelist IPs and WHMCS is probably verifying all messages.

https://developer.paypal.com/docs/api-basics/notifications/ipn/IPNIntro/

cociu

sisters for @jar please

yoursunny

@Kassem said:

The IPN message authentication protocol consists of four steps:

PayPal HTTPS POSTs an IPN message to your listener that notifies it of an event.
Your listener returns an empty HTTP 200 response to PayPal.
Your listener HTTPS POSTs the complete, unaltered message back to PayPal; the message must contain the same fields (in the same order) as the original message and be encoded in the same way as the original message.
PayPal sends a single word back - either VERIFIED (if the message matches the original) or INVALID (if the message does not match the original).

There is no need to whitelist IPs and WHMCS is probably verifying all messages.

https://developer.paypal.com/docs/api-basics/notifications/ipn/IPNIntro/

This design is sound. It can be compromised only if the adversary breaks both DNS and TLS.
It can be simpilified though: PayPal could place a signature on the message and the listener can validate it against PayPal's public key.
This is likely what the PayPal validation endpoint is doing, so that the listener doesn't need to implement public key validation.

jcarlo9

This will re stock ? https://portal.mxroute.com/cart.php?a=add&pid=108

jar

@jcarlo9 said:
This will re stock ? https://portal.mxroute.com/cart.php?a=add&pid=108

It will not. I was just going to let it run until it sold out, but frankly I've had enough of people from China signing up with fake identities to try to order it.

I wish I was kidding or that it were a mix of different scenarios, but instead it was literally just people from China making up to 5 different accounts in a row every single time, each with different fake identities, until one got through maxmind.