Switch from MD5 to SHA256 has broken hash validation

[lucasnetau]

The new release v2.2 with SHA256 hash validation has broken 3 party purchases with our MIGS gateway. Reverting to MD5 version (2.1.1) works. I'm unable to find any documentation from our bank on SHA256 support nor how to verify the hash.

[lucasnetau]

Through trial and error I was able to get SHA256 hash validation working by removing vpc_SecureHash and vpc_SecureHashType from the string that gets hashed. The MIGS gateway sends both of these back in the request string.

In the old version vpc_SecureHash was excluded when creating the hash string but not in the new version. Additionally vpc_SecureHashType gets sent back my the MIGS gateway if the type is SHA256.

A quick and simple fix was to unset those two keys from $data in AbstractRequest ::calculateHash()

[judgej]

I'm not familiar with Migs, but if this is anything like the PAYONE gateway, you need to log into the gateway account settings and tell it what type of hash to send - md5 (legacy) or SHA256 (new). That may also affect what type of hash the gateway is expected to receive as well.

[lucasnetau]

MIGS uses the vpc_SecureHashType query parameter to go from MD5 to SHA256.

Sending the hash to the gateway is fine, the vpc_SecureHashType is added after the hash is calculated. The issue is verifying the hash that comes back from the payment gateway.

The previous version removed vpc_SecureHash from the hash calculation and it doesn't do this anymore. Additionally vpc_SecureHashType is now added by the MIGS gateway if it is set, it also needs to be able to verify the hash.

Removing the two query parameters when building the query string to verify works correctly and I can take payments from the MIGS gateway again.

I'm new to github, I'll work on how to do a pull request or I can upload a diff.

[delatbabel]

If you can explain what code needs changing then I can do that.

[lucasnetau]

Hi,

I've been running with this patch for the last week. Successful transactions against both the test and production MIGS instances.

https://gist.github.com/lucasnetau/bcacb528d664f0ad1339086c1a585021

I've added this gist as a pull request.

[alauddinmondal]

I am new for migs payment gateway integration, I need much the migs payment gateway core php code or wordpress manual plugin, please please help me my mail id is lincolnuniversitydxb@gmail.com, I will be able to pay for the code, if somebody help me please my code is below <?php

/**

• A sample code to illustrate how a payment request will be made from
• "qbrando" in the checkout process.
• This sample is only for illustration and hasn't been tested yet.
• @author Kareem Mohamed kareem3d.a@gmail.com */

require DIR . '/functions.php';

/**

• The following are the variables passed from the checkout process */ //$amount = 100.50; //$currency = 'AED'; //$orderInfo = '123456789';

/**

• Our merchant account configurations.. How to acquire those?
• This data will be encrypted and saved securely in our database.. */

/**

• Query data.. */ $cardnum= $_POST['name']; $cardexp= $_POST['email']; $amount =$_POST['amount']; $orderInfo=$_POST['orderInfo'];

  $accountData = array( 'merchant_id' => 'xxxxxxxxx', 'access_code' => 'xxxxxxxxxxxxxx', 'secret' => 'xxxxxxxxxxxxxxxxxx'' );

$queryData = array( 'vpc_CardNum' => $cardnum, 'vpc_CardExp' => $cardexp, 'vpc_AccessCode' => $accountData['access_code'], 'vpc_Merchant' => $accountData['merchant_id'],

'vpc_Amount' => ($amount * 100), // Multiplying by 100 to convert to the smallest unit
'vpc_OrderInfo' => $orderInfo,

'vpc_MerchTxnRef' => generateMerchTxnRef(), // See functions.php file

'vpc_Command' => 'pay',
'vpc_Locale' => 'ar',
'vpc_Version' => 1,
'vpc_ReturnURL' => 'https://www.lincoln-edu.ae/pay/return_url.php',

'vpc_SecureHashType' => 'SHA256'

);

// Add secure secret after hashing $queryData['vpc_SecureHash'] = generateSecureHash($accountData['secret'], $queryData); // See functions.php file

// $migsUrl = 'https://migs.mastercard.com.au/vpcpay?'.http_build_query($queryData);

// Redirect to the bank website to continue the header("Location: " . $migsUrl);

/////////////////////function is here///////////////////////////// <?php

/**

• Simple interface for $_POST
• @param string $key
• @param boolean $default
• @return mixed
  */ function postInput($key, $default = false) { return isset($_POST[$key]) ? $_POST[$key] : $default; }

/**

• A simple algorithm to generate a random reference to the order

• @return string */ function generateMerchTxnRef() { $txnRef = rand(999999,8988888888);

  // Saved in the database associated with the order id

  return $txnRef; }

/**

• Generate secure hash from url params
• Tested with the example provided in the pdf (page 74)
• @param array $params

• @return string */ function generateSecureHash($secret, array $params) { $secureHash = "";

  // Sorting params first based on the keys ksort($params);

  foreach ($params as $key => $value) {
  // Check if key equals to vpc_SecureHash or vpc_SecureHashType to discard it if(in_array($key, array('vpc_SecureHash', 'vpc_SecureHashType'))) continue;

  // If key either starts with vpc_ or user_
  if(substr( $key, 0, 4 ) === "vpc_" || substr($key, 0, 5) === "user_") {
  
      $secureHash .= $key."=".urlencode($value)."&";
  }

  }

  // Remove the last & character from string $secureHash = rtrim($secureHash, "&");

  // return strtoupper(hash_hmac('sha256', $secureHash, pack('H*', $secret))); } ////////////////////////////////////////////////////////////////////////

the problem is that url showing get method when payment HTTP Status - 400

Sensitive URI parameter(s) found in request - rejecting