Re: Warning - ComponentOne's PayPal component is VERY insecure!!

I am currently using the PayPal .NET SDK - but for POSTing a custom cart
(not for using their new web service API).

For the most part it is easy to use. The documentation and component have
not been updated since about October '04 or something like that and if you
read their NG posts it appears that PayPal isn't supporting it all that
well. Having said that, I can report no problems, really. I installed the
sample application that demonstrates how to upload the contents of a custom
3rd party shopping cart. I used it as a model for my purposes and everything
seems cool so far. Just set a reference to it in your project and go from
there. Your ticket to sanity here is to just accept that you'll have to
really understand the sample application (which takes all of 15 minutes to
do - if that). The documentation/help file won't really help you if your're
implementing for ASP.NET. I don't think that PayPal really acknowledges that
ASP.NET even exists - at least from reading their printed (non help file)
documentation.

Now, about your observation about the cleartext querystring issue. That is
not an issue of ComponentOne (although they just might suck as much as you
claim). The querystring issue is more of an architectural decision you have
to make. PayPal's non helpfile documentation clearly states that there are
two methods for sending them data - encrypted or not encrypted - and they
clearly state the costs and benefits of each. PayPal's documentation referes
to everything as "buttons" rather than querystrings and such (presumably
because most people will generate static buttons at PayPal's site and
copy/paste the HTML into their own static Web pages). When you go to create
your payment buttons on PayPal's site, you can have it encrypt the
querystring data or not (presented as two 'types' of buttons you can
create). Additionally, when you go with the encrypted option, then that
somehow limits your options for receiving Instant Payment Notification data
back from paypal regarding the transaction (or something like that) - so you
have to decide what's more important to you.

Now, from my purusings of the PayPal NG, it appears that for those of us who
are implementing our own ("custom 3rd party") shopping cart, then if we also
want to encrypt the QueryString, then we'd have to pretty much roll our own
encryption that would have to of course exactly match what PayPal is
expecting (which is undocumented for those of us with the balls to do it).
Doing that would subsequently impose the same limitations on receiving IPN
data back from PayPal. So if you really want encryption and you are NOT
generating your "buttons" dynamically, then it appears that the easiest way
would be to use PayPal's "payment button generator" and copy-n-paste the
HTML into your .NET app.

Finally - if you don't have the current PayPal documentation for developers,
you might want to get it. The most recent was published (PDF format on their
site) in August 2005.

-HTH


"Alan Silver" <alan-silver@xxxxxxxxxxxx> wrote in message
news:s3S9OMCP5EJDFwYH@xxxxxxxxxxxxxxxxxxxxxx
> Hello,
>
> I've just been looking at the free PayPal component from ComponentOne and
> am somewhat amazed how insecure it is. They include all the transaction
> details in plain text in the querystring, meaning that any rank novice can
> click the Buy button on your site, then when the PayPal page loads, change
> the amount for the transaction and press Enter. This reloads the page with
> the new amount. This is so obvious that anyone could do it.
>
> The result is that someone can place an order on your site and change the
> amount to 0.01, with the order still being placed. You are powerless to
> stop this. What's even worse, is that it looks like they could enter a
> negative amount and get a refund!!
>
> If anyone is using this component, I recommend you check this issue
> immediately as your site could be open to abuse.
>
> I contacted C1's (lack of) technical support who were typically unhelpful.
> They avoided the issue and gave obscure answers to questions I hadn't
> asked. This is consistent with my previous experience of their technical
> support.
>
> On a related issue, is anyone using PayPal's ASP.NET SDK? I just had a
> look at that too and wondered how easy it is to use.
>
> --
> Alan Silver
> (anything added below this line is nothing to do with me)


.