From f5bbc7810177b4becd7030cac76bbe3a9ddc9258 Mon Sep 17 00:00:00 2001 From: "Stefan A. Brannfjell" Date: Sat, 13 Apr 2019 00:34:11 +0200 Subject: [PATCH] ipn.php: Verify peer and host in SSL Security issue reported by @slawkens All wifi traffic is broadcasted - this means that any nearby sniffing devices can read your traffic. If you're connecting to a page through HTTP over public/unencrypted wifi you can assume that whatever information you are sending and receiving is public - all it takes is an attacker nearby with an antenna to read all that in plaintext. To perform a true MITM by having traffic flow through them, attackers can use technologies like WiFi pineapples or aircrack-ng to force users to connect to their wifi network. Connecting over cable internet is much harder to intercept/mitm because you're not broadcasting your traffic for the whole neighborhood. In order to compromise this network an attacker will have to gain access to it somehow - either through physical access to a network port, malware installed on a host machine or router, etc. When an attacker has access to a network they then have to exploit that access through attacks such as ARP poisoning or HSRP spoofing. These attacks just MITM traffic - anyone on the network can still sniff (read, but not change) traffic, but keep in mind HTTPS traffic is still encrypted and can't be read. https://security.stackexchange.com/questions/153148/how-easy-it-is-to-actually-perform-mitm-attack-these-days --- ipn.php | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/ipn.php b/ipn.php index 95698ed..8ff8910 100644 --- a/ipn.php +++ b/ipn.php @@ -25,8 +25,8 @@ $IPN['cmd'] = '_notify-validate'; $PaypalHost = (empty($IPN['test_ipn']) ? 'www' : 'www.sandbox').'.paypal.com'; $cURL = curl_init(); - curl_setopt($cURL, CURLOPT_SSL_VERIFYPEER, false); - curl_setopt($cURL, CURLOPT_SSL_VERIFYHOST, false); + //curl_setopt($cURL, CURLOPT_SSL_VERIFYPEER, false); + //curl_setopt($cURL, CURLOPT_SSL_VERIFYHOST, false); curl_setopt($cURL, CURLOPT_URL, "https://{$PaypalHost}/cgi-bin/webscr"); curl_setopt($cURL, CURLOPT_ENCODING, 'gzip'); curl_setopt($cURL, CURLOPT_BINARYTRANSFER, true);