Critical Bug in Stripe Checkout Plugin - Unauthorized Order Cancellation

[albrechtindustries]

Critical Bug in Stripe Checkout Plugin - Unauthorized Order Cancellation

Description:

The Stripe Checkout plugin has a severe vulnerability that allows unauthorized users to cancel any orders that have not been partially paid. This bug poses a significant risk to the integrity of the order management system.

Steps to Reproduce:

1. Navigate to the URL format for order cancellation:

   https://oscommerce-webshop.xyz/furniture/callback/webhooks.payment.stripe_checkout?action=cancel&orders_id=110

2. Replace 110 with any valid orders_id.
3. Accessing this URL cancels the specified order without any authentication or session validation.

Expected Behavior:

The system should validate the session ID or other authentication tokens before allowing any order cancellation.

Actual Behavior:

Any user can cancel an order by simply accessing the above URL with a valid orders_id. The webhook only checks the session ID for the payment transaction and not for the cancellation of the order itself.

Impact:

This vulnerability can lead to unauthorized cancellation of orders, disrupting the business process and potentially causing significant financial losses.

Environment:

• Platform: osCommerce [latest]

Additional Information:

• URL to reproduce the issue:

  https://oscommerce-webshop.xyz/furniture/callback/webhooks.payment.stripe_checkout?action=cancel&orders_id=110

• The issue lies in the lack of session or authentication checks for the order cancellation endpoint.

Suggested Fix:

Implement a validation check for the session ID or another form of authentication before processing the cancellation request. Ensure that the same security measures used for payment transactions are also applied to order cancellations.

---

Please prioritize this issue as it directly impacts order integrity and security.

[pan-oscom]

Thank you! The fix was uploaded in this commit