Security flaw

I am quite worried about this piece of news:

http://www.smartertechnology.com/c/a/Smarter-Strategies/Free-Shopping-Security-Flaws-Found-in-Major-Online-Stores/

Is there a solution?

Thank you

Quote from Page 11 of the report:

We reported the NopCommerce bugs to its developers. They have fixed the one related to PayPal Standard. The other bug (i.e. about Amazon Simple Pay), was fixed by Amazon, as we explained above.

Although I am not sure which version this was fixed on, however the release notes for v1.9 state:
PayPal Standard. Validate order total in PaypalPDTHandler.aspx

It appears that this bug only relates to Paypal Standard and Amazon Simply Pay, so (AFAIK) if you're not using these, you should be ok. If not - the report contains details of the problems so you can check the code and apply fixes.

HTH,

Chris

If I understand the flaw, I guess the following code in PaypalPDTHandlerPage.aspx.cs fixes the problem:

                        //validate order total
                        bool validateOrderTotal = this.SettingManager.GetSettingValueBoolean("PaymentMethod.PaypalStandard.ValidateOrderTotal", true);
                        if (validateOrderTotal &&
                            !total.Equals(order.OrderTotal))
                        {
                            string errorStr = string.Format("PayPal PDT. Returned order total {0} doesn't equal order total {1}", total, order.OrderTotal);
                            this.LogService.InsertLog(LogTypeEnum.OrderError, errorStr, errorStr);
                            Response.Redirect(CommonHelper.GetStoreLocation());
                        }
                        
                        //mark order as paid
                        if (this.OrderService.CanMarkOrderAsPaid(order))
                        {
                            this.OrderService.MarkOrderAsPaid(order.OrderId);
                        }

Does the NC team can confirm?
Thanks.
Regards,

zar wrote:
Yes, this bug was fixed 4 months ago