Dec 4 2009

Magento: Paypal Standard IPN Double Totals Bug 1.3.2.3 + fix

:!: This fix didn’t work for me after further testing on 1.3.2.4 another recommended fix has however worked. :!:

Untitled 1 Magento: Paypal Standard IPN Double Totals Bug 1.3.2.3 + fix

Does the above look familiar for Paypal Standard Orders, Note the Grand Total and Total Paid…

Running into this issue myself I thought I would post it up to let everyone else know the issue with the Standard Paypal IPN and Magento version 1.3.2.3.  It appears double Order totals are showing up under “Total Paid” and can cause a lot of customer confusion.

Here is the quick temporary fix:

:!: NOTE: This modifies the base code of Magento and recommended you save a backup of the original file, as it may cause issues upgrading later on.

app/code/core/Mage/Paypal/Model/Standard.php as follows: 

- $invoice->register()->capture();
+ $invoice->register()->pay(); 

The above modification fixed IPN problems but now the Total Paid amount is wrong. 

Also the above modification introduced another bug: paid orders are shown as COMPLETE instead of PROCESSING. This can be fixed by changing app/code/core/Mage/Paypal/Model/Standard.php as follows: 

- Mage_Sales_Model_Order::STATE_COMPLETE, true,
+ Mage_Sales_Model_Order::STATE_PROCESSING, $newOrderStatus, 

This change will fix the status problem so that paid orers now appear as PROCESSING.

This fix was not mine and I would like to thank those whom are responsible for finding the bug and providing a fix! Kudos to them. :D

:arrow: Magento – Issue List – eCommerce Software for Growth.

Possibly Related Posts:


no comments   |  tags: , , , | posted in Magento Commerce

Apr 15 2009

Magento version 1.3.1 imminent

It appears Varien is has completed the list of items in the 1.3.1 branch.  Which includes fixes for the previous bugs I had previously posted about.  I’ve tried pulling down the alpha version with CVS to get a sneak peak at the upcoming changes but haven’t been successful, as March 30th seems to be the last commit change for 1.3.0.  There hasn’t been any news about when this release will be available publicly in a “official” form.  

A lot of users whom tried my fix for the add to cart issue with options reported getting an error such as getSKU() was undefined. This is in the list of items to be fixed in 1.3.1.

:!: Anyone who applied my “jerry rigged” fix, please remember to uncomment the line mentioned in the article BEFORE attempting to upgrade.

I have also been fighting with Magento and Google base always returning “Expected response code 200, got 404″, although it appears to be on a Google API change that has caused the issue, and I’m hoping 1.3.1 will have this issue fixed for me as well.

I will post up my findings once I’m able to get my hands dirty with the changes in 1.3.1.

:arrow: Magento – Roadmap – eCommerce Software for Growth.

Possibly Related Posts:


no comments   |  tags: , , , | posted in Magento Commerce

Apr 7 2009

Magento v1.3.0: Option validation failed to add product to cart

After upgrading a clients Magento site from 1.2.1.2 to version 1.3.0, they reported an issue not being able to add products with required selectable options, as it would always return “Option validation failed to add product to cart” Message even though all requirements are met.

The issue I’ve found to be is in a newly created file in 1.3.0: /app/code/core/Mage/Catalog/Model/Product/Option/Type/Select.php

?View Code PHP
1
2
3
4
5
6
7
8
9
10
11
12
13

    /**
     * Prepare option value for cart
     *
     * @throws Mage_Core_Exception
     * @return mixed Prepared option value
     */
    public function prepareForCart()
    {
        if ($this->getIsValid()) {
            return is_array($this->getUserValue()) ? implode(',', $this->getUserValue()) : $this->getUserValue();
        }
        #Mage::throwException(Mage::helper('catalog')->__('Option validation failed to add product to cart'));
    }

Apply a comment to the Mage::throwException … and it will fix the issue.

Note the use of a shorthand if statement within the return for the function, which in all honesty is bad coding practice. I say Magento makes the developer go onto code review for the next week for punishment. I’ve known some shops to do this when they get lazy. :lol:

However, $this->getIsValid() will return true, for a few cycles through but ultimately seems to come back to the exception and return false, which leads me to thing there is more to bug than just a simple conditional return statement.

Keep in mind this is by no means a official fix but will tie you over until the bug fix is released, which has already been reported and assigned. Also if you do make this change you may want to keep a copy of the original file as modifying app/core/ can lead to upgrade issues in the future, and you’ll need to restore the original file upon upgrading.

:!: It appears this also has fixed another issue I noticed, within the Admin, attempting to Create a New Order, upon attempting to add products to the order, nothing would be returned and no error presented. After my fix above this now working properly as well. This other issue has also been reported already and assigned as well.

According the 1.2.1.2 to 1.3.0 .diff file, this file is a newly created file.

Here is a forum thread discussing the issue:
:arrow: Magento – Option validation failed to add product to cart – Magento 1.3.0 Upgrade Issues – eCommerce Software for Growth.

Possibly Related Posts:


no comments   |  tags: , , , | posted in Magento Commerce

Apr 1 2009

Magento Login Error after 1.3.0 upgrade fix

After upgrading a fresh out of box 1.2.1.2 and upgrading via MagentoConnect I noticed an error others have reported as well.

:!: Invalid method Mage_Adminhtml_Model_Url::useSecretKey(Array)

It may merely be a permission issue as I didn’t use SSH to perform the upgrade with PEAR, to avoid permission issues. :x

Here’s what fixed it for me, for some reason Usesecretkey.php was not created during an upgrade through MagentoConnect, and Url.php was not updated…

Download the full 1.3.0 zip or tarball and copy Usessecretkey.php and overwriting Url.php:

?View Code TEXT
1
2

\app\code\core\Mage\Adminhtml\Model\System\Config\Backend\Admin\Usesecretkey.php
\app\code\core\Mage\Adminhtml\Model\Url.php

Usesecreykey.php is in the .diff file, and my original install before upgrade was 1.2.1.2, the file didn’t exist before: Note the revision number, and all +’s in the .diff file.

?View Code PHP
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47

Index: app/code/core/Mage/Adminhtml/Model/System/Config/Backend/Admin/Usesecretkey.php
===================================================================
--- app/code/core/Mage/Adminhtml/Model/System/Config/Backend/Admin/Usesecretkey.php	(revision 0)
+++ app/code/core/Mage/Adminhtml/Model/System/Config/Backend/Admin/Usesecretkey.php	(revision 37005)
@@ -0,0 +1,42 @@
+<?php
+/**
+ * Magento
+ *
+ * NOTICE OF LICENSE
+ *
+ * This source file is subject to the Open Software License (OSL 3.0)
+ * that is bundled with this package in the file LICENSE.txt.
+ * It is also available through the world-wide-web at this URL:
+ * http://opensource.org/licenses/osl-3.0.php
+ * If you did not receive a copy of the license and are unable to
+ * obtain it through the world-wide-web, please send an email
+ * to license@magentocommerce.com so we can send you a copy immediately.
+ *
+ * DISCLAIMER
+ *
+ * Do not edit or add to this file if you wish to upgrade Magento to newer
+ * versions in the future. If you wish to customize Magento for your
+ * needs please refer to http://www.magentocommerce.com for more information.
+ *
+ * @category   Mage
+ * @package    Mage_Adminhtml
+ * @copyright  Copyright (c) 2008 Irubin Consulting Inc. DBA Varien (http://www.varien.com)
+ * @license    http://opensource.org/licenses/osl-3.0.php  Open Software License (OSL 3.0)
+ */
+
+
+/**
+ * Adminhtml backend model for "Use secret key in Urls" option
+ *
+ * @category   Mage
+ * @package    Mage_Adminhtml
+ * @author     Magento Core Team <core@magentocommerce.com>
+ */
+class Mage_Adminhtml_Model_System_Config_Backend_Admin_Usesecretkey extends Mage_Core_Model_Config_Data
+{
+    protected function _afterSave()
+    {
+        Mage::getSingleton('adminhtml/url')->renewSecretUrls();
+        return $this;
+    }
+}

:arrow: Magento – Login error after upgrade – Magento 1.3.0 Upgrade Issues – eCommerce Software for Growth.

There may be some other inconsistencies but at the moment this is the only issue I’ve encountered with 1.3.0 after an upgrade, feel free to comment and I make no warranty for the above, its merely a fix that worked for me, and isn’t official by any means.

Possibly Related Posts:


9 comments   |  tags: , , , , , | posted in Magento Commerce

Mar 4 2009

Incoming Message in Magento’s Admin using Google Chrome Bug Found

I’ve been using Google Chrome alot lately more so than Firefox and I noticed an issue today after logging into Magento’s Backend, the buttons for the “Incoming Message” window go no where.  Granted this is a very low priority bug, but still an issue to be resolved since this may also affect Safari and any other browser utilizing WebKit.  It appears the message window is Flash based as right clicking shows the menu for an .swf.

magento-bug-chrome-notice

Using Google Chrome after logging into Magento’s Admin and a Notice is displayed on the dashboard, the “Incoming Message” window both “Close” and “Read details” do not function properly within Google Chrome version: 1.0.154.48, Magento version 1.2.1.1

Magento – Issue List – eCommerce Software for Growth.

Possibly Related Posts:


2 comments   |  tags: , , , | posted in Magento Commerce

Feb 27 2009

Magento Security Vulnerability

A new vulnerability has been exposed by Artisan system, they have since removed this blog posting so I’m reposting it for those curious of the details of the exploit and how to correct the problems themselves, since all Varien is offering for a temporary band-aid over the problem is a simple change of admin URL.  

There is in fact some discussion in the community of resolutions to the issue, and also some others offering a solution to fix the exploit until Magento can release a new version to fix the issue in an official release.

Here is the original post from Artisan system detailing the exploit, that has now been removed (possibly temporarily). I am not offering this as means for people to exploit the issue but to better help store owners and their developers fix the issue themselves!

 

 

 

It’s not often that you’ll find me disparaging the work of other developers. I realize the hard work and effort that is put into developing a large scale website. Unfortunately, there is a security vulnerability in Magento Commerce in 1.2.1.1 (and previous versions) that I believe should be fixed before anyone else uses it.

Magento Commerce has been criticized in the past for being too bloated. I agree it is. A single, uncached page load takes as much as 20MB of memory, which is a bit much for a web application. While Magento can be criticized for being too bloated, many other popular apps are bloated, and that bloat can generally be solved by server tuning and hardware. The issue of Magento extends further to a much more important issue: security vulnerabilities in the administration panel.

The problem starts with an attack called a cross site request forgery, or CSRF. The brilliance with this attack is that the person executing it is generally unaware and an authorized user of the website, and thus, the web software has no way to stop the actual actions from occurring.

The attacker will generally use more social engineering than actual coding/cracking. First, I’ll explain how the request forgery works and then how to fix it. The cracker installs Magento on their own system. They configure it properly, set them self up as the administrator, and create a fake order so they receive the layout of the email the administrator receives when a new order is created. Next, the attacker creates a real order on the system they’re looking to attack. With that, they’ll get any modifications to the order email (albeit’s the customer’s email, they’re checking any major color changes, font changes, etc). With this order email, they now have the email address of the administrator of the site.

With this knowledge, the attacker has enough information to execute the attack. The attack lies in the
fact that the administration panel of the Magento installation allows you to execute CRUD (more importantly,
the CUD) – Create, Read, Update, Delete – actions through a GET request rather than a POST request. Using Firebug with their own installation, the attacker can easily find the URL to, for example, duplicate or delete a product.

*** REMOVED TO PREVENT EXPLOITS ***

Copying one of those URL’s and pasting it into another tab will cause the action to execute! This is where the source of the problem lays. Actions such as Create, Update, and Delete should always happen through a POST request, not a GET request. If they must happen through a GET request, an interstitial page is necessary to confirm their actions.

The Attack

The attacker now has everything they need: new order email, administrator email address, and
sample URL’s to attack. Here’s what they do:

  • Create a simple HTML page on their website that when accessed, draws a hidden
    IFRAME with the SRC attribute being the URL of the attack you want to execute. For example,
    if you want to duplicate a product, the page could be as simple as:
  • ?View Code HTML
    1

     <iframe src="http://mymagentosite.com/index.php/admin/catalog_product/duplicate/id/1" style="display: none"></iframe>
  • and installed on http://badsite.com/crack_magento.html
  • Then, through the use of a phishing attack, sends an email to the administrator
    masquerading as a legitimate new order email. If the attacker sends this in the morning,
    chances are, the administrator will already be logged into the backend of the website processing legitimate orders, meaning a session
    has been authenticated for them. The phishing email looks nearly identical to their emails they
    get regularly, and the administrator clicks on the link to go process the “new order”. In reality,
    because the email’s are HTML emails, the value of the link is different than the HREF. The administrator
    clicks a link they’ve seen hundreds of times before, but instead of going to the website, it goes to the
    page on http://badsite.com/crack_magento.html
  • Because the administrator is already authenticated, even if this link opens in a new tab or even window,
    the action will be allowed to execute! With that, they’ll automatically have a duplicate product on their store!
    Deleting a product works in the same way.
  • Even more frightening, the attacker could easily update the crack_magento.html page to use a loop
    in JavaScript to continually draw a hidden iframe 100 times to create 100 duplicate products. As a result of the
    size of Magento, this can do several things:   

    • Create 100 products that are duplicates and erroneous.
    • Cause the server to fail under the load of continual requests.

The Fix

Surprisingly, the fix for this is simple.

  • ALL Create, Update, Delete requests must come from a POST request.
  • A same domain policy is created to only allow POST requests from the website Magento is installed on.
    The checking for this would happen before the rest of the page content is loaded, requiring very little overhead:
  • ?View Code PHP
    1
2
3
4
5
6
7
8

     <?php
 
if ( 'POST' === strtoupper($_SERVER['REQUEST_METHOD']) ) {
  $this_domain = get_this_raw_domain(); // Would return something like mymagentosite.com
  if ( $this_domain != $config['site_domain'] ) {
    exit('Hacking attack!');
  }
}
  • Of course, the above code is a proof of concept, but would be fairly simple to implement in Magento (or any site).
  • On some forms, a hash value is in a hidden form field and this is checked against the session. This should be updated
    to have a random has generated on each page load in a hidden form field. The same value is stored in the session. On each
    page load, this hash is recreated. Next, a static hash is created when the administrator logs into the site. On each page
    submit, the hash from the form and the hash from the session are checked. If both of these are the same, the request continues.
  • Add a secret PIN to the subject of all emails coming from the store to the administrator. For example, if the administrator
    set his PIN as 82799, that value would appear in every subject of every email to him from the store. Because he’s the only
    one who knows the PIN, he’ll know the email is legitimate.

Conclusion

An obvious question is why would someone exploit this? This is the wrong question to ask. People do amazingly cruel things for no reason whatsoever. The question should be, “what is the attack and how do I fix it?”. Although duplicating a product is something that’s a minor nuisance, my fear lies in that if something as simple as a cross site request forgery attack is not caught, where else are major security vulnerabilities present? It is not my point to discredit or disparage the Magento developers as I believe Magento has a chance to be a great product. However, security vulnerabilities such as these are bound to be exploited. I urge you to speak with the Magento developers to ensure this will be fixed immediately.

Possibly Related Posts:


7 comments   |  tags: , , , , , , , | posted in Magento Commerce