PayPal IPN sends a post request with a variable number of fields to notify the sent request Legal requires us to re-submit PayPal with an additional cmd = _notify-validate field to the same request, which is then verified or INVALID replies.
My question is, why do we need to send PayPal's request again? Will there not be anything like that?
if (preg_match ('~ ^ (?:? + [.])? PayPal [.] Com $ ~ i', gethostbyaddr ($ _ SERVER ['REMOTE_ADDR']))) & Gt; 0) {// The request came from PayPal, it is legal. } Iff We can trust the server to solve the IP, I think we can trust all requests from PayPal, no ?
I know this question is too old, but:
the attacker There is no need to cheat or display its IP. Any kind of MITM to give its recognition:
- She connects her IP address with her own machine xyzt
- Your The server receives the call hostbid ("xyzt") which sends a DNC query to the name tzyxin-addr.arpa.
- If x.y.z.t belongs to the attacker, then it is likely that he (at least) DNS domain z.y.x.in-addr.arpa also controls (since it has its own IP). It can return "paypal.com" in response to that query
- Your server receives "Paypal Dot" from the invader's DNS server, and your validation check is successful
This attack Loses are defeated by sending a request to PayPal as suggested.
Comments
Post a Comment