PayPal order status updates failing.

  • Posts: 20
  • Thank you received: 2
  • Hikashop Business
9 years 7 months ago #197914

-- HikaShop version -- : 2.4.0
-- Joomla version -- : 3.4.1
-- PHP version -- : 5.6.3 - 5.3.29
-- Browser(s) name and version -- : I.E; Firefox; Chrome all latest versions

Hello :)

Email message received from our web-shop (From HIkashop):
"A Paypal notification was refused because the connection to the confirmation server failed" (plus all the order details)
This message typically is then received for all orders - because they are being blocked by the web-hotel servers due to its security settings.

In our account with PayPal ( www.paypal.com ) - in our PayPal account IPN-History - the message for this order is then by PayPal set to "Retrying" - that is; PayPal will continue trying to update the order status till contact is established and the order status is given accordingly.

Since about March 20th we have had this problem with our web-hotel ( www.Siteground.com ) and communciation with PayPal on order update statuses. This have been perfect for years without any problems at all.

I have been working with our web-hotel to solve this, and managed to have this fixed for the PHP version 5.3.29 by having them ( www.siteground.com ) rewrite the server PHP security rules for our website. It took them 4 days to have this done successfully. But to do this, they needed the specific IP-address PayPal uses for such communication to create specific rules in their constantly more stringent security rules on their servers.

Now PHP version 5.3.29 is obsolete, and to have other plugins and extensions like Akeeba backup fully function I updated the website to use PHP version 5.6.3, and all what I did back in March now repeat it self. Again no order update statuses reaching through from PayPal, and again the same history with our web-hotel to have specific rules made for this to have our web-shop fully function with PayPal and order status updates.

This problem is only with PayPal and not our other payment gateways, methods and solutions.

This is the message given from Tech Support with www.siteground.com (of yesterday - awaiting my reply):
We have reviewed your case in details. We have added rules to your account and disabled the mod_security service for your whole account. Please now test with a different PHP version to check if the payments will work correctly.

If any issue persists, this would mean that your extensions are not compatible with the specified PHP version and you should consider continuing to work with the older PHP version. If this is the case, please update this ticket so that we can remove the rules for completely disabling the mod_security of your account and leave only the previously added rules from the file:

public_html/.htaccess

If the remote service provider is using any other IPs than 173.0.81.1, please provide us with a list of the IPs in question.

Best Regards,
Kiril I.
Technical Support Supervisor

After their message above, I activated PHP version 5.6.3, but in vail. The communication with PayPal became blocked again, so I had to have it reset to the old PHP version again (PHP version 5.3.29) - and all communication with PayPal immediately went back to normal again.
I will not use or try out other PHP versions between these two before being into the knowing of their full functionality with all systems and also Hikashop.

In the PayPal plugin in Hikashop the current (todays updates) IP-addresses are: 172.226.83.*,173.0.81.*,173.0.82.*

With the latest security settings Siteground asks for specific IP-addresses and not as given above - that is general IP-adresses. They need the exact IP-address to create exclusions from their constantly more stringent security settings and rules. Siteground is of cause implementing such stringent security rules to protect us from hackers and treats, and not to create problems for us as their highly valuable customers. Siteground has proved to be a very good host for several of our websites for years, and they have a high degree of service 24-7.

Questions:
- Is Hikashop fully operational with PHP version 5.6.3 (latest version)?
- Are Hikashop and the PayPal plugin fully in line with all the new implemented security systems used by web-hotels like Siteground?
- Could you give me some information that I can give to Siteground to have all the problems solved?
- Or, is it possible to rewrite the PayPal plugin to comply with the security rules to avoid this fully?

All the best,
Bengt Svensson

Please Log in or Create an account to join the conversation.

  • Posts: 82868
  • Thank you received: 13375
  • MODERATOR
9 years 7 months ago #197920

Hi,

1. I can't say that I've personally tested every single feature of the latest version of HikaShop with PHP 5.6.3. But it should and for what I tested it worked fine, and no one else reported an issue with it.

2. When HikaShop receives a payment notification from PayPal, it has to contact PayPal to check with PayPal that the payment notification is legit. This request to PayPal can sometimes be blocked by web hosting companies when they don't allow external requests originating from their servers.
From what I understand from what you wrote, Siteground added an exception to their filtering so that your server could connect with PayPal servers but that exception doesn't work with the new version of PHP.
So it's not a question of whether HikaShop and our PayPal plugin is "in line" with their security measures. It's just that the way PayPal payment notifications are made, HikaShop has to do this external request to PayPal in order to avoid fraudulent order validations.

3. That problem must be recurring on their end if they're blocking external requests, as all the shops using PayPal will need that capability, so I'm surprised they don't already have a global rule for all their customers to allow their servers to connect to PayPal for payment notifications authentication. I don't have a guaranteed list of all the IPs of PayPal, but that should be something to ask to PayPal. The best I have is this list: stackoverflow.com/questions/24318275/fir...e-paypal-ipn-is-sent But it could be incomplete.

4. If you want to avoid this and "comply with the security rules", you can change the line:
if(!$fp) {
and the line:
if(!$verified) {
to:
if(false){

in the file plugins/hikashoppayment/paypal/paypal.php
This will bypass the check to the PayPal server so anyone could potentially validate orders on your website if they know what they're doing. So I can't recommend it, but at least it will work.

Please Log in or Create an account to join the conversation.

  • Posts: 20
  • Thank you received: 2
  • Hikashop Business
9 years 7 months ago #197973

Hello Niclolas,
As always the very helpful and clearifyig creator, Thank You Nicolas:)

From what you tell here, this may only be the "beginning of a rather large" coming issue in regards of especially PayPal and the constantly more stringent security measures setup by web-hotels like Siteground. Siteground is by now a "spear head" showing the ways of increased security and new rules. As of January this year Siteground is the new partner for Joomla through the new free Joomla websites of www.joomla.com

For Siteground to create specific rules, it will have to include more than 104 given IP-addresses, and this was before we entered 2015, and who knows how many already now in this year of 2015. Because the IP-Address I find used from our web-shop and PayPal is not even listed in the article you have given with Stackoverflow here in your reply.

With this Nicolas, I am trying to put some real light upon this - as this surely needs a high degree of technical skills to have solutions to for normal website admin and webmasters to be into the knowing of. I posted this after reading the Hikashop Documentation and the error message received by Emails from our Hikashop email messaging system. (Thank you for that very good feature - has helped me and us a whole lot).

As in the last numbered paragraph - your paragraph 4 - you have something we can do to avoid all this, but then again you are not recommending it - that is to rewrite two lines to by-pass the security rules set by Siteground.
What you are suggesting here as the "last solution and way out of this issue" - That is a "Back-Door" so to say - may soon then be seen by the constantly more stringent security systems and will be "plugged" and prevented too in the time to come. It is excactly "Back-Doors" like this hackers may use too, to get in ... and the rest actually may then talk for itself in all regards.
It may then only be a temporary solution, but a risky one that most web-hotels of this high security standards will have to create rules against.

Are you sure Nicolas, that there are no other ways to deal with this from the Hikashop end and its programming? Even if there have not shown up any other cases in regards of this, it surely will come when users are starting to understand what their error messages actually means. And from the article in stackoverflow, this is not a new case or issue, but rather a larger one that will increase in width when the web-hotels increases their security.

If you have not read and understood the whole part of this, this goes for all PHP versions, and not only the latest version 5.6.3 - as this started with the now soon obsolete PHP version 5.3.29 that we temporarily were able to have function with PayPal till the IP-addresses change again - then new rules will have to be written by our web-hotel (Siteground). The rules as it is now, will have to be made and written for each excact IP-address used by PayPal.

Before I reply back to Siteground on this, I will have to be up to 100% certain of all this, if not it will only be lots of communication back and forth with me as a layman in between - a messanger.

All the best,
Bengt Svensson

Please Log in or Create an account to join the conversation.

  • Posts: 20
  • Thank you received: 2
  • Hikashop Business
9 years 7 months ago #198006

Hello again Nicolas,

I have now had someone from the Tech Support on higher levels to review this tread here to have this fully in the light from all parties, and here is the reply to me on my ticked on this with Siteground:

Hello Bengt,
Please accept my apologies for the delayed reply, I needed some time to review the provided thread.
First I would like to thank you for the positive words you said about Siteground :)
Next, if I understand your reply properly, you believe that that what Nicolas suggested in point 4 would compromise the security of your site. If I am correct, you have misunderstood him.
The suggested changes won't avoid our security rules. They will avoid the verification of the received payment notification with Paypal. The only problem here would be that if someone manages to send you a fake payment notification, you will accept it as legit.
If there is anything else that we can help you with, please contact us anytime!
Best Regards,
Yavor I.
Technical Support Team


With that statement from Siteground, all this can then fully be avoided by the implementation you gave in your numbered paragraph 4. I do not know if it then also could be done something in relation to the last part of the answer from Siteground and the programming of the PayPal plugin.

Is it also possible to have the full rewriting of this part of the PayPal plugin given here? (The given lines).

All the best,
Bengt Svensson

Last edit: 9 years 7 months ago by Jerome.

Please Log in or Create an account to join the conversation.

  • Posts: 26158
  • Thank you received: 4028
  • MODERATOR
9 years 7 months ago #198011

Hi,

The code modification Nicolas proposed is in no way a backdoor.
All a hacker would be able to do with it is confirmed the orders of your website even without making a payment.
Even in that case, the hacker should fake a Paypal IP when sending his fake notification ; It's not something common and the hacker must know that you deactivated the paypal confirmation... Even if I understand a part of the message of Yavor, it does not have such kind of security breach.
And if you don't want that risk and don't want to have your hosting company add extra rules to allow your server to connect to PayPal, then, you can simply turn off the "allow payment notifications from PayPal". And you'll have to manually confirm the orders yourself.

As Nicolas said previously, the issue is not in HikaShop.
There is no programming trick to be able to contact an external server if your hosting company blocks connections to external servers.
You're basically asking us if there is a way to open a locked door using only a key without having any keys. And that's not possible. The solution is to have the key (have your hosting company allow for external connections to PayPal).

The PHP version is not linked to the problem. HikaShop does the exact same thing regardless of the PHP version. The difference here, from what we understood of your message, is that the rules that your hosting company set worked only for your previous version of PHP, not the new one. So again, that's nothing we can change on our end.

Is it also possible to have the full rewriting of this part of the PayPal plugin given here? (The given lines).

No, that won't be possible because the goal of the payment notification with Paypal is to contact Paypal in order to confirm the transaction ; if your server does not allow to make a connection with paypal ; you have to deactivate the payment notifications and confirmed the order manually.

Even if Nicolas gave you a patch to perform half of the job ; Paypal will continue to send notification until he got a confirmation from your server (thing it will never have in your case) ; So I can't provide a half-working plugin.
You can modify the plugin if you want in order to remove some checks in the plugin, but regarding the restriction of your web hosting, we are not able to provide you a rewritten plugin which will feet to that.
The current plugin can work with that statement, as long as you do not use the payment notifications with Paypal.

Once again, In that current case, the issue is not related to HikaShop but to your hosting.
If your hosting can't provide you the feature to validate a paypal order ; you won't validate paypal orders and you will have to do it manually.
Nicolas tried to propose you something to help you but we won't be able to do more than that ; because that's not the way that paypal is working and the problem is not coming from our plugin or implementation.

Regards,

Jerome - Obsidev.com
HikaMarket & HikaSerial developer / HikaShop core dev team.

Also helping the HikaShop support team when having some time or couldn't sleep.
By the way, do not send me private message, use the "contact us" form instead.

Please Log in or Create an account to join the conversation.

  • Posts: 20
  • Thank you received: 2
  • Hikashop Business
9 years 7 months ago #198109

Thank you Jerome :)

Please be aware that I am nothing but a layman in this, and my knowing is redused to what I am being told by both you and the tech staff of our web-hotel - that is www.siteground.com - so please have some tolerance with both my skills and explanations.

Please read the message given from Siteground upon the response you gave me: (I have given siteground tech support the link to follow this tread here in the forum)

Hello Bengt,
Yes, indeed there are many other shops that are using our hosting company and are making payments with Paypal. However, the case there might be simply that they connect to port 80 or one of the already allowed ports and not a specific outgoing port as there are several ports that are opened for both incoming and outgoing connections.
So if the plugin for example is trying to connect to Paypal on port 4040 we will have to allow the connect to go on that port. Unfortunately, we cannot whitelist the whole port as you might understand for security reasons, but we can whitelist several IPs and no IP networks, of course this goes for our shared servers and not for our dedicated solutions.
On our dedicated solutions we have more flexible setup and we can perform changes such as whitelisting IP networks and even host names for any specific port that you would like. However, since you are hosted on shared hosting account we are sort of limited.
Anyway, there is no where in the reply from the plugin developers where they specify what type of connection is made towards Paypal or on what port so that we can at least try to open them for you.
Best Regards,
Rusi Malinov
Technical Support Team

Before even going into using a dedicated server program with siteground, it would be nice to know if you could give answers to what siteground is asking me for in their above given response.

All the best,
Bengt Svensson

Please Log in or Create an account to join the conversation.

  • Posts: 82868
  • Thank you received: 13375
  • MODERATOR
9 years 7 months ago #198126

Hi,

Our payment plugin connects to the hostname www.paypal.com on the port 443 which is the standard port for SSL.
Here is the code if they want more details:
take.ms/D8mqw
There is nothing special in our code. It's a standard fsockopen call to paypal in SSL.

Please Log in or Create an account to join the conversation.

Time to create page: 0.073 seconds
Powered by Kunena Forum