Dec 4 2009

Magento: Paypal Standard IPN Double Totals Bug 1.3.2.3 + fix

:!: This fix didn’t work for me after further testing on 1.3.2.4 another recommended fix has however worked. :!:

Untitled 1 Magento: Paypal Standard IPN Double Totals Bug 1.3.2.3 + fix

Does the above look familiar for Paypal Standard Orders, Note the Grand Total and Total Paid…

Running into this issue myself I thought I would post it up to let everyone else know the issue with the Standard Paypal IPN and Magento version 1.3.2.3.  It appears double Order totals are showing up under “Total Paid” and can cause a lot of customer confusion.

Here is the quick temporary fix:

:!: NOTE: This modifies the base code of Magento and recommended you save a backup of the original file, as it may cause issues upgrading later on.

app/code/core/Mage/Paypal/Model/Standard.php as follows: 

- $invoice->register()->capture();
+ $invoice->register()->pay(); 

The above modification fixed IPN problems but now the Total Paid amount is wrong. 

Also the above modification introduced another bug: paid orders are shown as COMPLETE instead of PROCESSING. This can be fixed by changing app/code/core/Mage/Paypal/Model/Standard.php as follows: 

- Mage_Sales_Model_Order::STATE_COMPLETE, true,
+ Mage_Sales_Model_Order::STATE_PROCESSING, $newOrderStatus, 

This change will fix the status problem so that paid orers now appear as PROCESSING.

This fix was not mine and I would like to thank those whom are responsible for finding the bug and providing a fix! Kudos to them. :D

:arrow: Magento – Issue List – eCommerce Software for Growth.

Possibly Related Posts:


no comments   |  tags: , , , | posted in Magento Commerce

Sep 27 2009

Magento Version 1.3.2.4 Security Update XSS fix on registration page

If you are running a lower version than 1.3.2.4 of Magento, I’d highly recommend upgrading for security purposes as in the change log, a Cross Site Scripting attack was found in the customer registration page.

:arrow: Magento – Blog – Magento Version 1.3.2.4 Security Update – eCommerce Software for Growth.

Possibly Related Posts:


no comments   |  tags: , , , | posted in Magento Commerce

Sep 27 2009

X-Cart creators release Gears based Ecwid E-Commerce Widgets in Beta

ecwid logo X Cart creators release Gears based Ecwid E Commerce Widgets in BetaIt appears the people behind X-Cart (qualiteam) have just released a beta version of their hosted AJAX/Gears based E-Commerce package. The package is free however it is a hosted solution with Amazon’s cloud hosting or EC2 web service for data storage.  Some of the cooler features is the Drag and Drop functionality for items to your basket.  Mobile version with static HTML Catalog for SEO purposes as well.  It is widget based so it can easily be dropped into any CMS system.

The biggest downside it seems to such a solution is there is no means currently to have a custom solution, via API or through Qualiteam themselves.  The Cart is visually customizable via CSS within the admin but I’m guessing it won’t be very “in depth”.  Also there is no manual.

On the plus to all these items though is it is FREE :)

:arrow: Ecwid: E-Commerce Widgets.

Possibly Related Posts:


3 comments   |  tags: , , | posted in General, Web Development

May 11 2009

Magento Fraud Alert Module featuring MaxMind

3d box2 websiteNH Magento Fraud Alert Module featuring MaxMind

DirectShop Solutions has released a Magento Module that utilizes the MaxMind fraud detection service.  I had written an interface with MaxMind with X-Cart awhile back and the service alone was well worth it, I was able to detect fraudulent orders a lot easier than before. Using a number of factors from free email services, IP to country/state compared to billing and shipping addresses, proxy detection and more. All with a simple rating score that can help anyone prevent fraudulent orders and cut down on charge backs, which can really hurt in the long run. As this was the main reason I set out to write one for X-Cart was I had been selling E-Goods and had gotten a large number of fraudulent orders ultimately causing my processor to increase my fee’s since I was considered more of a high risk. Its defiantly worth checking out!

:arrow: Magento Fraud Alert Module featuring MaxMind – Magento Modules .

Possibly Related Posts:


2 comments   |  tags: , , | posted in Magento Commerce

Mar 7 2009

Export X-Cart Products for Magento

xcart to mag Export X Cart Products for Magento

Something I have been wanting to do for awhile is attempt at writing a Magento X-Cart import module. Since I’m no where near getting such completed, and was needing to get a clients old X-Cart version 3.5.X product data imported into Magento 1.2.x, I decided to do it the old fashioned way. Export the X-Cart data into an Excel document and map the exported data. Since I had no idea what fields Magento would require for the import. I simply exported my existing Magento products I had added manually. If you don’t have any simply create a single test product and then proceed to export from Magento.

Please keep in mind this is a very basic import, as Product Options and Categories from X-Cart are ignored. I’m open to any ideas and/or thoughts to achieve this, so please feel free to add any comments.

Here is the SQL Query that I have used to grab the basic essential data out of X-Cart:

?View Code SQL
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34

SELECT
xcart_products.productid,
xcart_products.productcode,
xcart_products.product,
xcart_products.brand,
xcart_products.model,
xcart_products.weight,
xcart_products.categoryid,
xcart_products.list_price,
xcart_products.descr,
xcart_products.fulldescr,
xcart_products.param00,
xcart_products.param01,
xcart_products.param02,
xcart_products.param03,
xcart_products.`type`,
xcart_pricing.productid,
xcart_pricing.quantity,
xcart_pricing.price,
xcart_thumbnails.image_path,
xcart_images.image_path,
xcart_images.image_x,
xcart_images.image_y,
xcart_images.image_size,
xcart_images.alt,
xcart_pricing.membership,
xcart_categories.category
FROM
xcart_products
Left Join xcart_pricing ON xcart_products.productid = xcart_pricing.productid
Left Join xcart_thumbnails ON xcart_products.productid = xcart_thumbnails.productid
Left Join xcart_images ON xcart_products.productid = xcart_images.productid
Left Join xcart_categories ON xcart_categories.categoryid = xcart_products.categoryid
GROUP BY xcart_products.productid

xcart-import-diagram-schema   

One Remote MySQL Manager I found very useful for alot of this was “NaviCat“, the free version doesn’t support export/importing however they do offer a 30 day trial with all the bells and whistles.

As you can tell I am only exporting xcart_products, xcart_pricing, xcart_thumbnails, xcart_images and xcart_categories. However I did not use xcart_categories when mapping my data in Excel, I merely wanted to export it so it was easier to determine products while in Excel.

When exporting with NaviCat I noticed two Excel options, both seem to yield the same results, however I noticed with one of the options long descriptions over 255 characters were being truncated, here is the option to use for best results I’ve found:
export option

A few things to take note while mapping and/or copying your X-Cart exported data to your Magento exported data is:

  • You will need to remove the full path that X-Cart uses in its image tables, i.e. /home/mysite/public_html/
  • Keep a front slash ‘/’ in front of your image filename’s.
  • Copy all of your X-Cart product’s Images via FTP or however you choose. And upload them to /media/import/
  • Keep existing data in the fields of the Magento products export the same. The most note-able are: store, attribute_set and type.
  • You may have some custom data from X-Cart that can be utilized, per say if you were using param00 for a cost field, you can easily map this field into Magento’s custom attributes you can create to be able to port this information over. You can find custom attributes under “Catalog”->”Attributes”->”Manage Attributes” within the Admin.
  • Export as a “Comma Separated Values” (CSV) file. I opened this file up in notepad after exporting and re-saved just to ensure line-breaks and odd characters aren’t miss-interrupted.

All of Magento’s export and import functionality can be found under “System”->”Import/Export”->”Profiles”.

I created a new profile entitled “X-Cart Import” and used the following settings:
xcart-import-magento-profile-settings

Here is the XML profile for my X-Cart import profile as well:

?View Code XML
1
2
3
4
5
6
7
8

    <var><![CDATA[,]]></var>
    <var name="enclose"><![CDATA["]]></var>
    <var name="fieldnames">true</var>
    <var name="store"><![CDATA[0]]></var>
    <var name="number_of_records">1</var>
    <var name="decimal_separator"><![CDATA[.]]></var>
    <var>catalog/convert_adapter_product</var>
    <var>parse</var>

One Idea I didn’t realize during my first initial import was the import process at least on a low-end server can take hours to complete, so you may want to take a small portion of your spreadsheet, export to CSV and do a small amount of data to ensure you have all of your data properly laid out. I made this mistake and am now in the process of re-importing all 2000+ products after doing a small amount to ensure things are in order.

If at anytime you want to wipe all of your products and start from no products, run this query in NaviCat or PHPMyAdmin:

?View Code SQL
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39

TRUNCATE TABLE `catalog_product_bundle_option`;
TRUNCATE TABLE `catalog_product_bundle_option_value`;
TRUNCATE TABLE `catalog_product_bundle_selection`;
TRUNCATE TABLE `catalog_product_entity_datetime`;
TRUNCATE TABLE `catalog_product_entity_decimal`;
TRUNCATE TABLE `catalog_product_entity_gallery`;
TRUNCATE TABLE `catalog_product_entity_int`;
TRUNCATE TABLE `catalog_product_entity_media_gallery`;
TRUNCATE TABLE `catalog_product_entity_media_gallery_value`;
TRUNCATE TABLE `catalog_product_entity_text`;
TRUNCATE TABLE `catalog_product_entity_tier_price`;
TRUNCATE TABLE `catalog_product_entity_varchar`;
TRUNCATE TABLE `catalog_product_link`;
TRUNCATE TABLE `catalog_product_link_attribute`;
TRUNCATE TABLE `catalog_product_link_attribute_decimal`;
TRUNCATE TABLE `catalog_product_link_attribute_int`;
TRUNCATE TABLE `catalog_product_link_attribute_varchar`;
TRUNCATE TABLE `catalog_product_link_type`;
TRUNCATE TABLE `catalog_product_option`;
TRUNCATE TABLE `catalog_product_option_price`;
TRUNCATE TABLE `catalog_product_option_title`;
TRUNCATE TABLE `catalog_product_option_type_price`;
TRUNCATE TABLE `catalog_product_option_type_title`;
TRUNCATE TABLE `catalog_product_option_type_value`;
TRUNCATE TABLE `catalog_product_super_attribute`;
TRUNCATE TABLE `catalog_product_super_attribute_label`;
TRUNCATE TABLE `catalog_product_super_attribute_pricing`;
TRUNCATE TABLE `catalog_product_super_link`;
TRUNCATE TABLE `catalog_product_enabled_index`;
TRUNCATE TABLE `catalog_product_website`;
TRUNCATE TABLE `catalog_product_entity`;
 
TRUNCATE TABLE `cataloginventory_stock`;
TRUNCATE TABLE `cataloginventory_stock_item`;
TRUNCATE TABLE `cataloginventory_stock_status`;
 
insert  into `catalog_product_link_type`(`link_type_id`,`code`) values (1,'relation'),(2,'bundle'),(3,'super'),(4,'up_sell'),(5,'cross_sell');
insert  into `catalog_product_link_attribute`(`product_link_attribute_id`,`link_type_id`,`product_link_attribute_code`,`data_type`) values (1,2,'qty','decimal'),(2,1,'position','int'),(3,4,'position','int'),(4,5,'position','int'),(6,1,'qty','decimal'),(7,3,'position','int'),(8,3,'qty','decimal');
insert  into `cataloginventory_stock`(`stock_id`,`stock_name`) values (1,'Default');

(thanks to Mike Smullin on the Magento Forums for this query!)

Whats planned? I am also going to be attempting to apply the same method for importing X-Cart customer data into Magento. As well as making product options and categories importable as well.

There is a good thread on importing product’s in Magento’s community discussing this topic as well.

Possibly Related Posts:


10 comments   |  tags: , , , , , , , , | posted in Magento Commerce, Web Development

Feb 27 2009

Magento Security Vulnerability

A new vulnerability has been exposed by Artisan system, they have since removed this blog posting so I’m reposting it for those curious of the details of the exploit and how to correct the problems themselves, since all Varien is offering for a temporary band-aid over the problem is a simple change of admin URL.  

There is in fact some discussion in the community of resolutions to the issue, and also some others offering a solution to fix the exploit until Magento can release a new version to fix the issue in an official release.

Here is the original post from Artisan system detailing the exploit, that has now been removed (possibly temporarily). I am not offering this as means for people to exploit the issue but to better help store owners and their developers fix the issue themselves!

 

 

 

It’s not often that you’ll find me disparaging the work of other developers. I realize the hard work and effort that is put into developing a large scale website. Unfortunately, there is a security vulnerability in Magento Commerce in 1.2.1.1 (and previous versions) that I believe should be fixed before anyone else uses it.

Magento Commerce has been criticized in the past for being too bloated. I agree it is. A single, uncached page load takes as much as 20MB of memory, which is a bit much for a web application. While Magento can be criticized for being too bloated, many other popular apps are bloated, and that bloat can generally be solved by server tuning and hardware. The issue of Magento extends further to a much more important issue: security vulnerabilities in the administration panel.

The problem starts with an attack called a cross site request forgery, or CSRF. The brilliance with this attack is that the person executing it is generally unaware and an authorized user of the website, and thus, the web software has no way to stop the actual actions from occurring.

The attacker will generally use more social engineering than actual coding/cracking. First, I’ll explain how the request forgery works and then how to fix it. The cracker installs Magento on their own system. They configure it properly, set them self up as the administrator, and create a fake order so they receive the layout of the email the administrator receives when a new order is created. Next, the attacker creates a real order on the system they’re looking to attack. With that, they’ll get any modifications to the order email (albeit’s the customer’s email, they’re checking any major color changes, font changes, etc). With this order email, they now have the email address of the administrator of the site.

With this knowledge, the attacker has enough information to execute the attack. The attack lies in the
fact that the administration panel of the Magento installation allows you to execute CRUD (more importantly,
the CUD) – Create, Read, Update, Delete – actions through a GET request rather than a POST request. Using Firebug with their own installation, the attacker can easily find the URL to, for example, duplicate or delete a product.

*** REMOVED TO PREVENT EXPLOITS ***

Copying one of those URL’s and pasting it into another tab will cause the action to execute! This is where the source of the problem lays. Actions such as Create, Update, and Delete should always happen through a POST request, not a GET request. If they must happen through a GET request, an interstitial page is necessary to confirm their actions.

The Attack

The attacker now has everything they need: new order email, administrator email address, and
sample URL’s to attack. Here’s what they do:

  • Create a simple HTML page on their website that when accessed, draws a hidden
    IFRAME with the SRC attribute being the URL of the attack you want to execute. For example,
    if you want to duplicate a product, the page could be as simple as:
  • ?View Code HTML
    1

     <iframe src="http://mymagentosite.com/index.php/admin/catalog_product/duplicate/id/1" style="display: none"></iframe>
  • and installed on http://badsite.com/crack_magento.html
  • Then, through the use of a phishing attack, sends an email to the administrator
    masquerading as a legitimate new order email. If the attacker sends this in the morning,
    chances are, the administrator will already be logged into the backend of the website processing legitimate orders, meaning a session
    has been authenticated for them. The phishing email looks nearly identical to their emails they
    get regularly, and the administrator clicks on the link to go process the “new order”. In reality,
    because the email’s are HTML emails, the value of the link is different than the HREF. The administrator
    clicks a link they’ve seen hundreds of times before, but instead of going to the website, it goes to the
    page on http://badsite.com/crack_magento.html
  • Because the administrator is already authenticated, even if this link opens in a new tab or even window,
    the action will be allowed to execute! With that, they’ll automatically have a duplicate product on their store!
    Deleting a product works in the same way.
  • Even more frightening, the attacker could easily update the crack_magento.html page to use a loop
    in JavaScript to continually draw a hidden iframe 100 times to create 100 duplicate products. As a result of the
    size of Magento, this can do several things:   

    • Create 100 products that are duplicates and erroneous.
    • Cause the server to fail under the load of continual requests.

The Fix

Surprisingly, the fix for this is simple.

  • ALL Create, Update, Delete requests must come from a POST request.
  • A same domain policy is created to only allow POST requests from the website Magento is installed on.
    The checking for this would happen before the rest of the page content is loaded, requiring very little overhead:
  • ?View Code PHP
    1
2
3
4
5
6
7
8

     <?php
 
if ( 'POST' === strtoupper($_SERVER['REQUEST_METHOD']) ) {
  $this_domain = get_this_raw_domain(); // Would return something like mymagentosite.com
  if ( $this_domain != $config['site_domain'] ) {
    exit('Hacking attack!');
  }
}
  • Of course, the above code is a proof of concept, but would be fairly simple to implement in Magento (or any site).
  • On some forms, a hash value is in a hidden form field and this is checked against the session. This should be updated
    to have a random has generated on each page load in a hidden form field. The same value is stored in the session. On each
    page load, this hash is recreated. Next, a static hash is created when the administrator logs into the site. On each page
    submit, the hash from the form and the hash from the session are checked. If both of these are the same, the request continues.
  • Add a secret PIN to the subject of all emails coming from the store to the administrator. For example, if the administrator
    set his PIN as 82799, that value would appear in every subject of every email to him from the store. Because he’s the only
    one who knows the PIN, he’ll know the email is legitimate.

Conclusion

An obvious question is why would someone exploit this? This is the wrong question to ask. People do amazingly cruel things for no reason whatsoever. The question should be, “what is the attack and how do I fix it?”. Although duplicating a product is something that’s a minor nuisance, my fear lies in that if something as simple as a cross site request forgery attack is not caught, where else are major security vulnerabilities present? It is not my point to discredit or disparage the Magento developers as I believe Magento has a chance to be a great product. However, security vulnerabilities such as these are bound to be exploited. I urge you to speak with the Magento developers to ensure this will be fixed immediately.

Possibly Related Posts:


7 comments   |  tags: , , , , , , , | posted in Magento Commerce