I was recently made aware of a CSRF exploit in BitShop which could cause damage if the attack is successful. To prevent it from happening make sure you log out of the admin area when you're finished and be careful not to click any shady links while you're logged in as admin.

Technical details:

The way the exploit works is that the attacker will some how convince the admin to click a link while they are logged in as admin. The link will take the admin to a page on the attackers website. The page will contain some javascript which will submit a hidden form and post data to the BitShop script. Even though the post request is coming from a different domain the admin session will still be resumed because the request came from the web browser of the admin when they visited the attack page.

This is actually one of the attack vectors I didn't know much about up until now because I was never taught about CSRF attacks in my web development classes and I always assumed that it wouldn't be possible to resume a session so easily when the request isn't made locally but apparently I was mistaken. It seems quite ridiculous that it would work that way without any sort of safe guard. Anyway I'll include a patch for the exploit in the next release of BitShop because several files need to be edited.

Has it always been doing that or did it start doing that after you changed something?

Don't know why that would happen, do what it says and contact Coinbase support.

It cannot be empty, Coinbase requires all your details.

It could be a problem with your Coinbase settings. Enable coinbase debugging to get more information about the problem. I'm guessing you haven't filled out your merchant profile properly.

That notice isn't doing any harm but can be fixed by removing lines 108 and 118 in the /sci/process-order.php file (both places the $_SESSION['ship_order'] variable is used).

Yes it's the last field in the Coinbase settings, it can be what ever you want.

Just found another bug in 1.0.7, checking the balance of an address on the order details page would alert the admin that the order had been paid even if it hadn't been. It also wasn't recording the true amount paid when being manually confirmed that way. Download BitShop again and update the /inc/admin/orders.inc.php page to fix those issues.

The callback url should end with /callback.php?s=CallbackSecretHere

Also make sure you fill out your merchant profile.

Read the /install/coinbase.txt file for more info.

Just found one more bug. The email sent to the buyer upon order confirmation was blank. Update the /lib/special.lib.php file to fix it. That should be one of the last bugs in 1.0.7 hopefully.

Lol I assume you mean debugged. I appreciate the help, if you find any other bugs let me know.

I didn't realize GoCoin had a way to do callback tests, it's not very easy to find is it. Anyway I have fixed the problem, transactions should be processed automatically now. Anyone using Coinbase will also need to apply this fix. Download BitShop again and replace these files:

/sci/gateways/gocoin/callback.php
/sci/gateways/coinbase/callback.php
/inc/admin/orders.inc.php

So did the transaction end up being confirmed or not? Btw you can fix that 1BTC shipping cost bug by updating the /inc/admin/orders.inc.php file.

It can be anything you want as long as it's not predictable.

If the callback script is not called before the user is returned to your shop then it will tell the buyer to wait while the transaction is processed, it doesn't mean the admin has to process the transaction manually, it means you have to wait until the callback script gets called by GoCoin. But if there's any issues with the callback script it wont get confirmed. It looks to me like the callback script should have already been called so I'm guessing there's a problem with it. Are there any error log files inside of the /sci/gateways/gocoin/ folder?

There is no callback url setting in your GoCoin account settings like there is with Coinbase. The callback url is passed to GoCoin when the order is being created. You'll know if it works or not when you complete a transaction using the GoCoin gateway. If the transaction gets confirmed then the callback script must have worked.

No BitShop doesn't have SMTP support yet but I might add it in 1.0.8.

Btw has anyone tested the gocoin or coinbase callback scripts yet?

The bug has been fixed, download BitShop again and replace the /sci/gateways/default/config.html file.

Image links do not work.

Sorry about the delayed response, had to get some sleep. I changed the name of that function from list_all_keys() to list_conf_keys(). Fixed version has been uploaded. I think most of the bugs in 1.0.7 have been sorted out now.

Ok just found a few more bugs in the admin area thanks to some helpful bug reporting. Fixed version has been uploaded.

Ok finally finished the update to BitShop, was a huge update so it took some time, well worth the effort though because BitShop is now better than ever and can even be used to accept payment in XCN. I will now go back to working on this Cryptonite web wallet.