Solved

Apache configuration disallowing another website from accessing an osCommerce 'callback script'

Posted on 2006-11-16
7
164 Views
Last Modified: 2010-03-04
I have a website which is in osCommerce and is using an external payment provider (SecPay)  to deal with transactions.

When I reach checkout confirmation and confirm my order, it goes to the payment provider and variables are passed correctly.

When the payment has been processed and confirmed with the payment provider, it is meant to return to my site (checkout_confirmation.php I think is the page it goes back to) and I assume pass some variables back.

According to the payment provider, this is failing (determined by an error on their page at the end of payment) because "Apache may not be configured to allow their website access to our callback script".

What should I be looking for in httpd.conf to solve this?
Any other comments or suggestions appreciated.
0
Comment
Question by:wbstech
  • 3
  • 3
7 Comments
 
LVL 57

Expert Comment

by:giltjr
ID: 17961242
Check out any all statments that say "deny".  Check all of Apache's conf files.  httpd.conf is the main one, but say you are running this on Linux, you may have a directory call /etc/httpd/conf.d which has other conf files that could be used.

You would first check out the Directory definition for the directory where the "checkout_confirmation.php" file resides.

0
 
LVL 4

Author Comment

by:wbstech
ID: 17963552
Ok I can't really see anything that may be blocking it. But i'll post up some (possibly) relevant chunks of httpd.conf that may help:

-------------------------chunk 1----------------------------------------------
# Each directory to which Apache has access, can be configured with respect
# to which services and features are allowed and/or disabled in that
# directory (and its subdirectories).
#
# First, we configure the "default" to be a very restrictive set of
# permissions.  
#
<Directory />
Options All
AllowOverride All
</Directory>
#
# Note that from this point forward you must specifically allow
# particular features to be enabled - so if something's not working as
# you might expect, make sure that you have specifically enabled it
# below.
#

#
# This should be changed to whatever you set DocumentRoot to.
#
<Directory "/usr/local/apache/htdocs">

#
# This may also be "None", "All", or any combination of "Indexes",
# "Includes", "FollowSymLinks", "ExecCGI", or "MultiViews".
#
# Note that "MultiViews" must be named *explicitly* --- "Options All"
# doesn't give it to you.
#
    Options Indexes FollowSymLinks MultiViews

#
# This controls which options the .htaccess files in directories can
# override. Can also be "All", or any combination of "Options", "FileInfo",
# "AuthConfig", and "Limit"
#
    AllowOverride None

#
# Controls who can get stuff from this server.
#
    Order allow,deny
    Allow from all
</Directory
---------------------------------------------------------------------------------------


-------------------chunk 2 (Virtual host entry for relevant domain)--------------
<VirtualHost xx.xxx.xx.xxx>
ServerAlias mydomain.com
ServerAdmin webmaster@mydomain.com
DocumentRoot /home/mydomain/public_html
BytesLog domlogs/mydomain.com-bytes_log
ServerName www.mydomain.com

User mydomain
Group mydomain
CustomLog /usr/local/apache/domlogs/mydomain.com combined
ScriptAlias /cgi-bin/ /home/mydomain/public_html/cgi-bin/
</VirtualHost>
----------------------------------------------------------------------------------------

The directory/file (relative to the domain's home directory) is /catalog/checkout_process.php - This is not specifically configured in any of the configuration files in anyway, that I can find.

And just for the fun of it, here's access.conf:

------------access.conf-------------------------------
<Directory />

Options Indexes FollowSymLinks ExecCGI Includes
AllowOverride All

order allow,deny
allow from all

</Directory>
---------------------------------------------------------
0
 
LVL 13

Expert Comment

by:rhickmott
ID: 17964004
What do you get if you try calling

http://www.domain.com/catalog/checkout_process.php

does it allow you to view the page/ return a blank page or return a HTTP error. If the later then its being blocked if the error is PHP based or something that the script has generated then your issue is NOT apache.
0
Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 
LVL 4

Author Comment

by:wbstech
ID: 17964016
It goes to that page and redirects me to the index page, exactly as it should, since there is no session or shopping basket.
0
 
LVL 13

Expert Comment

by:rhickmott
ID: 17964060
Right taking a stab in the dark here but it sounds like checkout_process.php is NOT your callback script but the script which handles the shopping basket checkout.

I don't have experience with sec pay but the general terms you have a return page a failure page and a callback script.

A return page is a thank you page which they return the USER to upon successful completion of checkout.
A failure page is a sorry page which they return the USER to upon failure of payment.

These don't have to do anything just act as thank you your order has been paid etc they can clean up the session mark as checkout completed if the order is stored in a database etc.

A Callback Script is a different kettle of fish. Its a script which sits on your server. When checkout is completed Sec pay should send a POST request to this script posting it details of the transaction, the order number, confirmation id etc etc. Using these details you can update the order to PAYMENT TAKEN and then send out "Thank you your payment was taken" e-mails. You normally provide them details of this script and basically only you and them know the url its not part of the checkout process for security purposes.I would suggest contacting Secpay and asking them what url they have for your callback script and what the url is for this script.
0
 
LVL 4

Author Comment

by:wbstech
ID: 18018084
The problem was solved by implementing SSL.
0
 
LVL 13

Accepted Solution

by:
rhickmott earned 500 total points
ID: 18018242
Which would suggest they were trying to callback to https:// then
0

Featured Post

Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

Join & Write a Comment

Suggested Solutions

Introduction As you’re probably aware the HTTP protocol offers basic / weak authentication, which in combination with the relevant configuration on your web server, provides the ability to password protect all or part of your host.  If you were not…
If your site has a few sections that need to be secure when data is transmitted between the server and local computer, such as a /order/ section for ordering or /customer/ which contains customer data, etc it would of course be recommended to secure…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Access reports are powerful and flexible. Learn how to create a query and then a grouped report using the wizard. Modify the report design after the wizard is done to make it look better. There will be another video to explain how to put the final p…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now