The md5 signature field should be added to encrypt the contents of all the fields passed to Worldpay. Without this, users can easily modify payment amount, currency, etc before it is submitted (e.g. using Firebug).

The guide explains how this should be implemented under Enhancing Security:
http://www.rbsworldpay.com/support/kb/bg/htmlredirect/rhtml.html

It is a fairly simple case of concatenating the names and values (seperately) for all hidden inputs which you want to be secure, and then adding a 'salt' type key which is set in both Worldpay settings and your module's settings to ensure people can't create the md5 themselves. These create 2 more hidden inputs for the signatureFields and signature itself.

I may do a patch for this for a project I am working on which probably needs this security.
Thanks

Comments

andrew.lansdowne’s picture

andrew.lansdowne commented
Status: Active » Closed (fixed)
NecroHill’s picture

NecroHill commented
Status: Closed (fixed) » Active

hello Andrew, is there any progress with the patch?

glowkeeper’s picture

glowkeeper commented

Andrew - why did you close this immediately?

alexpott’s picture

alexpott
he/they
Primary language English
Location 🇪🇺🌍
commented

I've posted a patch that enables this feature and does a few other things here http://drupal.org/node/529760

matason’s picture

matason commented
Status: Active » Closed (duplicate)

Closing, dealing with this over at http://drupal.org/node/529760