User may have been able to access paid content while pending payment

  • Resolved snyne

    (@snyne)


    4 years, 3 months ago

    Hello there pramadillo folks,

    I am a sysadmin at a woocommerce site that deals with adult models and access to their content. We use pay-per-post free and authorize.net for payment processing. Today we had an international customer make a purchase and have it declined by Authorize.

    After the decline, the transaction was set to payment_pending (which is a non-paid order status). I checked the server logs, and while things are a bit weird with tracking a user IP in nginx logs with cloudflare active, I believe this user was given access to the gallery when they should not have been.

    Please understand that I am not AT ALL a php coder and I am spinning my wheels here.

    I checked the source code of the plugin and code which seems like it would determine whether or not to grant access to a simple virtual is:

    if ( wc_customer_bought_product( $this->current_user->user_email, $this->current_user->ID, trim( $id ) ) ) {

    Checking wc_customer_bought_product() (https://woocommerce.github.io/code-reference/files/woocommerce-includes-wc-user-functions.html#source-view.309) seems to return an array on line 340 (https://woocommerce.github.io/code-reference/files/woocommerce-includes-wc-user-functions.html#source-view.340) which by default simply contains “processing”/”completed” (per this: https://woocommerce.github.io/code-reference/files/woocommerce-includes-wc-order-functions.html#source-view.124 )

    I don’t see any alternative path that the user could have taken, but I also don’t see any other users that purchased this content in the same timeframe using the same user agent (chrome on Safari) and the site in question doesn’t have a GIANT userbase.

    Can you please investigate if there is some other code path that could’ve been hit to allow for a payment_processing order to gain access to a hidden post?

    Cheers,

Viewing 2 replies - 1 through 2 (of 2 total)
  • Plugin Author Matt Pramschufer

    (@mattpramschufer)

    Hey @snyne,
    Thanks for reaching out. So I don’t see how that could be possible as we only look for WHERE p.post_status IN ( 'wc-completed', 'wc-processing' )

    Are you using a hosted order page in Auth.net or via API/CIM? The only thing I could think of is that your gateway plugin could have set the status to be wc-processing and then there was a delay in getting the failed status back.

    If you are just looking at the access logs for the protected page, you would still see an entry as they can still get to the page the content is just different if they have access. So unless you are looking at a specific asset that is only available after access and looking at that entry in the access_log you might be getting false positives.

    Thread Starter snyne

    (@snyne)

    Thanks for your reply Matt,

    We’re using the Auth.net CIM plugin.

    I can see the assets being loaded on the page, but where the logs are difficult to discern which user was acting at the time I’ve added a hook into simple-logger to capture this information in the future. Where I don’t have any additional information to provide I don’t think that we can pursue this any further, but I do sincerely appreciate you taking a look into this for me. If I have additional information in the future, I’ll reach back out.

    Cheers and thanks again,

Viewing 2 replies - 1 through 2 (of 2 total)
  • The topic ‘User may have been able to access paid content while pending payment’ is closed to new replies.