Download & Extend
UC Worldpay » Issues

Ideas for improvement

Posted by alanburke on February 2, 2009 at 12:57pm
Project:UC Worldpay
Version:6.x-1.0-rc1
Component:Code
Category:feature request
Priority:normal
Assigned:Unassigned
Status:needs work

Issue Summary

Hi
I have a worldpay installation using the Ecommerce package, with the Worldplay module.

Part of the code for checking the response from Worldplay involves checking the IP address to ensure it comes from a Worldplay server [and that it isn't being spoofed].

Perhaps something like that would be useful here too.

<?php
  // Run a reverse DNS lookup on the IP Address the callback is coming from and verify it is from Worldpay
  $ip = $_SERVER['REMOTE_ADDR'];
  $fullhost = gethostbyaddr($ip);
  $host = preg_replace("/^[^.]+./", "*.", $fullhost);
  if ($host == '*.worldpay.com'){ 
?>

I don't think Worldpay supports shared secrets or similar, so this would at least be an improvement.

I can roll a patch if this is a desired addition.

Regards
Alan

Login or register to post comments

Comments

#1

Posted by psynaptic on February 13, 2009 at 11:18am

Hi alanburke,

Thanks for your interest in uc_worldpay. I'm really busy right now but I'd be delighted if you would agree to become co-maintainer of this module. You seem to know what you are talking about and I just don't have the time right now to dig into this.

This is my TODO for this module:

- Back button on review order page doesn't work
- Selection of cards for display in checkout is purely superficial
- Difference between Shopper Response Enabled and not. seems like the cancelled (and possibly the authorised) status is dealt with by Worldpay when it's disabled.
- When user cancels the order they get an email with the invoice and the order goes into Pending state
- Add MD5 authentication (needs SSL)
- Add IP checking
- Add other security features supported by Worldpay

#2

Posted by willowmedia on November 5, 2009 at 11:53am

I don't think Worldpay supports shared secrets or similar, so this would at least be an improvement.

Hi, don't know whether this is helpful or not but Worldpay provides the option of setting up a Payment Response password that sounds a bit like a shared secret.. http://www.rbsworldpay.com/support/kb/bg/customisingadvanced/custa6012.html

I've got it working in my setup and could produce a patch if anyone was interested in incorporating into the next release?

#3

Posted by matason on August 18, 2010 at 9:17pm
Title:Extra server verification by using IP checking» Ideas for improvement
Version:6.x-1.x-dev» 6.x-1.0-rc1
Status:active» needs work

Looking at @psynaptic's list on comment #1:

- Back button on review order page doesn't work - fixed
- Selection of cards for display in checkout is purely superficial - not sure what is meant by this?
- Difference between Shopper Response Enabled and not. seems like the cancelled (and possibly the authorised) status is dealt with by Worldpay when it's disabled - anything to do here?
- When user cancels the order they get an email with the invoice and the order goes into Pending state - requires testing, this be reproduced?
- Add MD5 authentication (needs SSL) - done, assuming you're referring to the MD5 secret word thingy
- Add IP checking - to do, @alanburke do you want to create a patch against HEAD for this?
- Add other security features supported by Worldpay - needs looking into, what are the other security features we should add?

I suggest we keep this one open for the time being and create separate issues for each item that needs work here.

nobody click here