Security: PayPal payment IDOR and hardcoded admin credentials #60
Description
Summary
Critical vulnerabilities allow attackers to mark any order as paid without actual payment, and hardcoded admin credentials in source code enable immediate account takeover.
Findings
1. PayPal callback IDOR — mark any order as paid (CRITICAL)
The PayPal payment callback/IPN handler accepts an order ID without verifying that the PayPal transaction corresponds to that specific order. An attacker can craft a callback request to mark any order as paid without completing actual payment.
2. Missing order ownership validation (HIGH)
Order viewing and management endpoints don't verify the authenticated user owns the order. Any authenticated user can view and interact with any order by changing the ID parameter.
3. Hardcoded admin credentials in source code (HIGH)
Admin credentials (admin@admin.com / admin123) are hardcoded in seeders or configuration files committed to the repository. Anyone with access to the source code has immediate admin access.
Recommended Fix
- Verify PayPal IPN/webhook signatures and match transaction amounts to order totals before marking orders as paid
- Add ownership checks on all order endpoints:
Order::where('user_id', auth()->id())->findOrFail($id) - Remove hardcoded credentials from source code; use environment variables and require credential change on first setup
Impact
Financial fraud via marking unpaid orders as complete. Full admin access via publicly visible credentials.