Hi support / all,
I intended to use Paypal payments for a project in Aware and when fiddling with difficulties with the return URL, I discovered a security issue which renders the current Paypal solution in Aware useless for me and sharing it here to hopefully get support to change it and make it secure and also to inform others that may be using it. The problem is, with the current setup in Aware it is not possible to change the return url in any way so the current Aware/Paypal integration use a default one that basically is: http://www.mydomain.com:8080/app/req.awurl?BAS_SUCCESS=true for successful payments OR http://www.mydomain.com:8080/app/req.awurl?BAS_SUCCESS=false for errors or cancellations in payment. The problem is, anyone can manually type in the success return url BEFORE the payment has been made, fooling Aware (and the app owner etc.) into thinking the payment was successful.
Here are the steps to reproduce:
- Open up Library sample application and make sure it´s initialized and a Paypal account email is set
- Start the MakePayment process and add 1 dollar or so in the form
- Start the make payment procedure (the payment is not made automatically) after which you are directed to the Paypal website where you are intended to log in
- Don´t login but instead paste the return url in the adress bar e.g http://www.mydomain.com:8080/app/req.awurl?BAS_SUCCESS=true
- The paypal browser window/tab is closed and you are directed back to Aware where you will get the successful payment notification
Ideally we need the option to set custom return success and failure URLs and we could then add some things to the url like invoice ID or whatever other parameter indicating in part the state of the payment and also hide or make difficult to forge the status update.
