Validation Bypass

Module: paypal-ipn

Published: December 3rd, 2014

Reported by: Martin Angelov

CVE-NONE

CWE-287

Vulnerable: <3.0.0
Patched: >=3.0.0

Overview

Versions 2.x.x and earlier of paypal-ipn are affected by a validation bypass vulnerability.

paypal-ipn uses the test_ipn parameter (which is set by the PayPal IPN simulator) to determine if it should use the production PayPal site or the sandbox.

A motivated attacker could craft a request string using the simulator to fool the application into entering the sandbox mode, potentially allowing purchases without valid payment.

Remediation

Upgrade to version 3.0.0 or later.

References

Issue #11