Digitalstack/ZnoteAAC
2
0
Fork 0
mirror of https://github.com/Znote/ZnoteAAC.git synced 2025-04-30 11:19:22 +02:00
Code Issues Packages Projects Releases Wiki Activity

ipn.php: Verify peer and host in SSL

Browse Source 
Security issue reported by @slawkens 

All wifi traffic is broadcasted - this means that any nearby sniffing devices can read your traffic. If you're connecting to a page through HTTP over public/unencrypted wifi you can assume that whatever information you are sending and receiving is public - all it takes is an attacker nearby with an antenna to read all that in plaintext. To perform a true MITM by having traffic flow through them, attackers can use technologies like WiFi pineapples or aircrack-ng to force users to connect to their wifi network.

Connecting over cable internet is much harder to intercept/mitm because you're not broadcasting your traffic for the whole neighborhood. In order to compromise this network an attacker will have to gain access to it somehow - either through physical access to a network port, malware installed on a host machine or router, etc. When an attacker has access to a network they then have to exploit that access through attacks such as ARP poisoning or HSRP spoofing. These attacks just MITM traffic - anyone on the network can still sniff (read, but not change) traffic, but keep in mind HTTPS traffic is still encrypted and can't be read.

https://security.stackexchange.com/questions/153148/how-easy-it-is-to-actually-perform-mitm-attack-these-days
This commit is contained in:
Stefan A. Brannfjell 2019-04-13 00:34:11 +02:00 committed by GitHub
parent ce3fcf3b51
commit f5bbc78101
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 2 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
ipn.php
View File

@ -25,8 +25,8 @@
$IPN['cmd'] = '_notify-validate'; $IPN['cmd'] = '_notify-validate';
$PaypalHost = (empty($IPN['test_ipn']) ? 'www' : 'www.sandbox').'.paypal.com'; $PaypalHost = (empty($IPN['test_ipn']) ? 'www' : 'www.sandbox').'.paypal.com';
$cURL = curl_init(); $cURL = curl_init();
curl_setopt($cURL, CURLOPT_SSL_VERIFYPEER, false); //curl_setopt($cURL, CURLOPT_SSL_VERIFYPEER, false);
curl_setopt($cURL, CURLOPT_SSL_VERIFYHOST, false); //curl_setopt($cURL, CURLOPT_SSL_VERIFYHOST, false);
curl_setopt($cURL, CURLOPT_URL, "https://{$PaypalHost}/cgi-bin/webscr"); curl_setopt($cURL, CURLOPT_URL, "https://{$PaypalHost}/cgi-bin/webscr");
curl_setopt($cURL, CURLOPT_ENCODING, 'gzip'); curl_setopt($cURL, CURLOPT_ENCODING, 'gzip');
curl_setopt($cURL, CURLOPT_BINARYTRANSFER, true); curl_setopt($cURL, CURLOPT_BINARYTRANSFER, true);