Multiple PHP Toolkit for PayPal Vulnerabilities

Vendor: Patrick Breitenbach and Dave Nielsen [http://paypal.sf.net/]
Versions affected: PHP Toolkit for PayPal v0.50 (and may be prior)
Date: 12th January 2006
Type of Vulnerability: Sensitive Information Disclosure and Payment System Bypass
Severity: Critical
Solution Status: Unpatched
Vendor was notified on 9th January 2006 without answer

Discovered by: .cens, uinC Team
Online location: http://www.uinc.ru/articles/vuln/ptpaypal050.shtml

Background:
From vendor web-site:
"The PHP Toolkit provides a set of scripts that faciliatate the integration of PayPal into an ecommerce service. It provides scripts that generate a PayPal form dynamically as well as scripts to process Instant Payment Notifications."

Description:
1) Payment System Bypass
If the payment through PayPal.com was completed successfully, payment data is transferred to ipn.php, which in turn executes ipn_success.php, passing it the parsed payment data as parameters using POST request. ipn_success.php will enter the passed data straight into log file without verifying where this data came from. This means, an attacker can reproduce the POST request and enter the details of the successful payment into the log file even if there was no payment through PayPal.com

2) Sensitive Information Disclosure
PHP Toolkit for PayPal vendor documentation recommends to set permissions for the "logs" directory "../ipn/logs/" to 777. Data from ipn_success.php suggests that the payment data log file is "logs/ipn_success.txt", which, if installed according to documentation, will have global read permission. As a result, anyone is able to view the transaction data.

[c] .cens, uinC Team
09.01.2006