Hello All,
We are going to take over this site with our wifi software, BUT the final payment form can be altered for a payment of a penny.
They use javascript to post the form after submission.
<script language='javascript'>var vPostForm = document.PostForm;vPostForm.submit();</script>
(link has been removed)
To test, click on one of the plans, then disable javaScript when you see “Payment Options” and refresh that page.
With javaScript disabled click the “Pay” button at the bottom.
Now view source and you have (verbatim, all on one line),
<form id="PostForm" name="PostForm" style="display:hidden" action="payment_gateway.jsp" method="POST" ><input type="hidden" name="merchant" value="xxxx7883" /><input type="hidden" name="store" value="1234" /><input type="hidden" name="term" value="001" /><input type="hidden" name="total" value="5000" /><input type="hidden" name="currency" value="484" /><input type="hidden" name="order_id" value="5a4c5fcd-5f7e-4a46-b64e-dfe8827" /><input type="hidden" name="address" value="mystore" /><input type="hidden" name="digest" value="728fbdfd8c3e7a241c117b3c1fcbd3f86935e3f0" /><input type="hidden" name="return_target" value="" /><input type="hidden" name="urlBack" value="https://www.me.com/Validate" /><input type="hidden" name="type" value="H" /><input type="hidden" name="period" value="1" /><input type="hidden" name="planPrice" value="50.00" /><input type="hidden" name="planMoney" value="MXN" /><input type="hidden" name="lookProsa" value="https://me.com/cancun" /></form><script language='javascript'>var vPostForm = document.PostForm;vPostForm.submit();</script>
Now I have a nice little form and I will get my internet access for a penny.
This may seem trivial but over the years we have seen this method used and shared with other people with our own wifi access forms.
Problem is that they pay and get wifi, by the time we view the payment reports, they are long gone.
Surely there must be a way to insure “planPrice” cannot be altered.
I suppose I could use cURL and display the form from the gateway on the target site but not sure of the security implications, this would not work with our other payment gateways.
It would be nice if “header location” could be combined with cURL and have PHP send the browser along with posted data to the gateway.
I’m open to ideas.
Thank you