ipn.php: Verify peer and host in SSL

Security issue reported by @slawkens 

All wifi traffic is broadcasted - this means that any nearby sniffing devices can read your traffic. If you're connecting to a page through HTTP over public/unencrypted wifi you can assume that whatever information you are sending and receiving is public - all it takes is an attacker nearby with an antenna to read all that in plaintext. To perform a true MITM by having traffic flow through them, attackers can use technologies like WiFi pineapples or aircrack-ng to force users to connect to their wifi network.

Connecting over cable internet is much harder to intercept/mitm because you're not broadcasting your traffic for the whole neighborhood. In order to compromise this network an attacker will have to gain access to it somehow - either through physical access to a network port, malware installed on a host machine or router, etc. When an attacker has access to a network they then have to exploit that access through attacks such as ARP poisoning or HSRP spoofing. These attacks just MITM traffic - anyone on the network can still sniff (read, but not change) traffic, but keep in mind HTTPS traffic is still encrypted and can't be read.

https://security.stackexchange.com/questions/153148/how-easy-it-is-to-actually-perform-mitm-attack-these-days

ipn.php

@@ -25,8 +25,8 @@
 		$IPN['cmd'] = '_notify-validate';
 		$PaypalHost = (empty($IPN['test_ipn']) ? 'www' : 'www.sandbox').'.paypal.com';
 		$cURL = curl_init();
-		curl_setopt($cURL, CURLOPT_SSL_VERIFYPEER, false);
-		curl_setopt($cURL, CURLOPT_SSL_VERIFYHOST, false);
+		//curl_setopt($cURL, CURLOPT_SSL_VERIFYPEER, false);
+		//curl_setopt($cURL, CURLOPT_SSL_VERIFYHOST, false);
 		curl_setopt($cURL, CURLOPT_URL, "https://{$PaypalHost}/cgi-bin/webscr");
 		curl_setopt($cURL, CURLOPT_ENCODING, 'gzip');
 		curl_setopt($cURL, CURLOPT_BINARYTRANSFER, true);