Bug Security token error

Status
Not open for further replies.

mikez006

Customer
When someone purchases credits, they receive this error when they are redirected back to the site after Paypal payment.

credit_buy_bug.webp

Everything works, credits are received by the buyer, but I'd like to fix the error message so it doesn't come up. It would be nice it the buyer got a "successful purchase" message instead.
 
What is the full URL of the page they land on when they are redirected back to the site?
 
http://www.domain.com/credits.php

That's the full URL.

I did edit the credits.php file and removed the stat columns to replace it with text information instead. I didn't think that would affect anything with payment. It was changed a long time ago and I can't confirm when this error started to happen.
 
Please verify that the following exists near the top of the file:
PHP:
// #################### DEFINE IMPORTANT CONSTANTS #######################
if ($paymethod = preg_replace('/\W/i', '', $_GET['method']))
{	//special actions for payment processing
	define('THIS_SCRIPT', 'credits_gateway');
	define('CSRF_PROTECTION', false);
	define('SKIP_SESSIONCREATE', 1);
}
else
{	//regular page
	define('THIS_SCRIPT', 'credits');
	define('CSRF_PROTECTION', true);
}
 
I'm guessing the issue is that PayPal has started sending the redirect back to the site as a POST request, which triggers the security issue.

To be honest, I'm a bit stumped as to how to resolve this without opening up a gigantic security hole by removing the Cross Site Request Forging protection altogether... I can't rely on the referrer, as that can be spoofed quite easily. The same applies to the referring IP address.
 
I just purchased a point here on your forums and after the Paypal payment I got the same security token missing error message. So it appears to be something with Paypal.

I'm get a few emails per week asking about this error and it's becoming quite a nuisance so hopefully you can come up with a solution.

As a temporary fix I'm going to edit the error message to include a line about purchasing credits, but I'd like this to be fixed if possible since this is a problem for everyone that uses this credit addon.
 
At this point in time I can't think of a solution on my end, because the change to a POST request happened on PayPal's end.
 
Update: I've just realised a potential fix for this issue. Please open /credits.php and change
PHP:
if ($paymethod = preg_replace('/\W/i', '', $_GET['method']))
to
PHP:
if ($paymethod = preg_replace('/\W/i', '', $_REQUEST['method']))
and let me know if this works for you.
 
Hello mikez006,

This ticket has now been closed with the status Fixed.

We hope your issue or question has been addressed to your satisfaction. If not, please feel free to re-open it by clicking this link.

If you have any further issues or questions, please feel free to start a new support ticket via the button at the top of every page.

Thank you!
 
Status
Not open for further replies.

Legacy vBCredits II Deluxe

vBulletin 3.8.x vBulletin 4.x.x
Seller
DragonByte Technologies
Release date
Last update
Total downloads
845
Customer rating
0.00 star(s) 0 ratings
Back
Top