Order marked as 'Paid' althought the paid amount is invalid

Item		Qty	Total
	{{cartItem.ProductName}} SKU: {{cartItem.ProductSku}}	{{cartItem.Quantity \| number : 2}} x {{cartItem.UnitCost \| currency : '$' : 2}}	{{cartItem.UnitCost * cartItem.Quantity \| currency : '$' : 2}}
{{itemVariant.VariantHasText ? (itemVariant.VariantName + ': ' + itemVariant.VariantText) : (itemVariant.VariantGroup + ': ' + itemVariant.VariantName)}}
You have no items in your shopping cart.
Subtotal	{{minicart.cartTotals.SubTotal \| currency : '$' : 2}}

Item

Qty

Total

{{cartItem.ProductName}}
SKU: {{cartItem.ProductSku}}

{{cartItem.Quantity | number : 2}} x {{cartItem.UnitCost | currency : '$' : 2}}

{{itemVariant.VariantHasText ? (itemVariant.VariantName + ': ' + itemVariant.VariantText) : (itemVariant.VariantGroup + ': ' + itemVariant.VariantName)}}

You have no items in your shopping cart.

Subtotal

{{minicart.cartTotals.SubTotal | currency : '$' : 2}}

Image	Item	Qty	Total
	{{cartItem.ProductName}} SKU: {{cartItem.ProductSku}}	{{cartItem.Quantity \| number : 2}} x {{cartItem.UnitCost \| currency : '$' : 2}}	{{cartItem.UnitCost * cartItem.Quantity \| currency : '$' : 2}}
{{itemVariant.VariantHasText ? (itemVariant.VariantName + ': ' + itemVariant.VariantText) : (itemVariant.VariantGroup + ': ' + itemVariant.VariantName)}}
You have no items in your shopping cart.

Image

Item

Qty

Total

{{cartItem.ProductName}}
SKU: {{cartItem.ProductSku}}

{{cartItem.Quantity | number : 2}} x {{cartItem.UnitCost | currency : '$' : 2}}

{{itemVariant.VariantHasText ? (itemVariant.VariantName + ': ' + itemVariant.VariantText) : (itemVariant.VariantGroup + ': ' + itemVariant.VariantName)}}

You have no items in your shopping cart.

SKU

Product Name

Unit Cost

Qty

Line Total

{{itemVariant.VariantHasText ? (itemVariant.VariantName + ': ' + itemVariant.VariantText) : (itemVariant.VariantGroup + ': ' + itemVariant.VariantName)}}

You have no items in your saved shopping cart.

Status	Order No.	Order Date	Ship To	Order Total	Pay Total	Balance
Bill Me Later Open Ready To Ship Shipped Picked Up Cancelled Incomplete On Hold Back Ordered Returned {{order.Status}}	{{order.OrderID}}	{{order.OrderDate \| date : 'M/d/yyyy'}}	{{order.ShipFirstName}} {{order.ShipLastName}}, {{order.ShipAddress1}} {{order.ShipAddress2}}, {{order.ShipCity}}, {{order.ShipState}} {{order.ShipZipcode}}	{{order.GrandTotal \| currency : '$' : 2}}	{{order.PayTotal \| currency : '$' : 2}}	{{order.GrandTotal - order.PayTotal \| currency : '$' : 2}}

Status

Order No.

Order Date

Ship To

Order Total

Pay Total

Balance

Bill Me Later Open Ready To Ship Shipped Picked Up Cancelled Incomplete On Hold Back Ordered Returned {{order.Status}}

{{order.ShipFirstName}} {{order.ShipLastName}}, {{order.ShipAddress1}} {{order.ShipAddress2}}, {{order.ShipCity}}, {{order.ShipState}} {{order.ShipZipcode}}

Home

Product Discus...

SmithCart

Order marked as 'Paid' althought the paid amount is invalid

6/8/2012 5:45 AM

Rico Ledaouf

Joined: 8/31/2011

Posts: 99

Order marked as 'Paid' althought the paid amount is invalid

Hi,

Using Dnn 6.2.0 with Smith Cart 5.0, PayPal Standard payment provider.

As there is a bug in the tax amount passed to PayPal (see the Incorrect PayPal total thread), the user do not pay the amount expected by the cart (he does not pay the tax).

However, in the manage order screen (or in the database, PayHist table), the Status is set to 'true' (that means the user has paid its order). The cart should not validate the transaction as the paid amount is invalid.

This problem occurs because there is a tax bug, but it emphasis the fact that there is not validation mechanism for the paid amount (and it MUST be such a mechanism to defeat malicious attacks). This verification can be done by checking the parameters sent by PayPal using the IPN notification. The URL passed back to the Smith Cart through the IPN notification contains:

mc_gross=200.00&protection_eligibility=Ineligible&address_status=confirmed&item_number1=&payer_id=...&tax=0.00&address_street=1 Main St&payment_date=09:27:34 Jun 07, 2012 PDT&payment_status=Completed&charset=windows-1252&address_zip=95131&mc_shipping=0.00&mc_handling=0.00&first_name=Test&mc_fee=8.05&address_country_code=US&address_name=Test User&notify_version=3.4&custom=19&payer_status=verified&business=...&address_country=United States&num_cart_items=1&mc_handling1=0.00&address_city=San Jose&verify_sign=ASc-dne4AyfHwacI2TbjN9VgMb8FAjsEnojw5k-fnBKhoeHOBSOyynG3&payer_email=...&mc_shipping1=0.00&tax1=0.00&txn_id=...&payment_type=instant&last_name=User&address_state=CA&item_name1=World&receiver_email=...&payment_fee=&quantity1=1&receiver_id=...&txn_type=cart&mc_gross_1=200.00&mc_currency=EUR&residence_country=US&test_ipn=1&transaction_subject=19&payment_gross=&ipn_track_id=...

The amount the user has to pay, indicated in the last checkout page, is 200 plus 39.20 tax (=239.20). The IPN returns 'mc_gross=200.00' and 'tax1=0.00', so the effectively paid content is 200 (AND NOT 239.20). This must be checked when receiving the IPN and the transaction must not be marked as paid.

Can you fix this very anoying bug please ?

Thanks.