Insecure checking of Payment Notifications

It should be noted that for some reason this plugin does no checking on the validity of IPN notifications from CC Bill servers. This means that any user can create an IPN call and trick WC into seeing the order as paid.

This has happened on our sites on two occasions so there are people out there abusing this weakness.

IPN requests should only be accepted from CC Bill server IPs.

I was able to enforce this using an htaccess file as follows:

#lockcown CCBill
<IfModule mod_rewrite.c>
        RewriteCond %{QUERY_STRING} wc-api=WC_Gateway_CCBill [NC]
        RewriteCond %{QUERY_STRING} Action=Approval_Post [NC]
        RewriteCond %{REMOTE_ADDR} !=64.38.194.13
        RewriteCond %{REMOTE_ADDR} !=131.153.40.106
        RewriteCond %{REMOTE_ADDR} !^64\.38\.240\..*
        RewriteCond %{REMOTE_ADDR} !^64\.38\.241\..*
        RewriteCond %{REMOTE_ADDR} !^64\.38\.212\..*
        RewriteCond %{REMOTE_ADDR} !^64\.38\.215\..*
        RewriteRule ^(.*)$ - [F]
</IfModule>

However I believe that CC Bill should immediately enforce this in their code to protect all customers from the same fraud that we experienced.

I hope this post is helpful.