Re: Warning - ComponentOne's PayPal component is VERY insecure!!



I am currently using the PayPal .NET SDK - but for POSTing a custom cart
(not for using their new web service API).

Yup, that's what I would be looking at initially. I might look at the other later on though.


For the most part it is easy to use.
<snip>

OK, thanks for the info. Maybe I'll download it and have a look.

Now, about your observation about the cleartext querystring issue. That is
not an issue of ComponentOne (although they just might suck as much as you
claim).

Their technical support is pretty useless, even when you have full registered versions of commercial components. I suppose I shouldn't have expected too much support for a free component, but I naively assumes that a security issue might elicit some response - well, a sensible one anyway!!


The querystring issue is more of an architectural decision you have
to make.
<snip>

So, the bottom line is that they have chosen to implement the component in a very insecure way, that allows anyone to alter the transaction amount, but they haven't warned any developers of the implications, nor do they even admit the issue. All of which means that any developer with even an ounce of sense wouldn't use it.

I haven't studied PayPal's docs (what there are of them), but I find it hard to believe that their entire system is as poor as you describe. There must be some way of doing this without such obvious security issues. If there really aren't, then people shouldn't distribute free components that encourage use of such a poor system.

Anyway, I'm certainly not going to use it. I will have to study the PayPal samples and docs carefully before I'm convinced that it's worth using.

Thanks for the comments. Ta ra

--
Alan Silver
(anything added below this line is nothing to do with me)
.



Relevant Pages