PayPal CC Payment 403 Error

Home Forums BulletProof Security Pro PayPal CC Payment 403 Error

This topic contains 4 replies, has 2 voices, and was last updated by  AITpro Admin 1 year, 11 months ago.

Viewing 5 posts - 1 through 5 (of 5 total)
  • Author
    Posts
  • #189 Facebook Google Twitter Email Stumbleupon Digg reddit pinterest Myspace Delicious LinkedIn tumblr

    AITpro Admin
    Keymaster

    Question copied from the BulletProof Security free plugin WordPress Forum and answered here:

    Hi,

    I am testing a new site and ran into a 403 forbidden error in a specific case with the PayPal sandbox environment.

    I am using PayPal Standard to accept donations. If the user has a PayPal account the flow works great. Both IPN and PDT work without issue. If the user has no PayPal account however and attempts to pay with a CC, then the string that is passed back by PayPal results in the 403 error. I am not sure exactly what BPS does not like in the string nor how to configure it to allow this condition.

    The URL passed back that results in the error is:
    example.com/give/jane2014/?tx=73397261811355915&st=Completed&amt=5.00&cc=USD&cm=&item_number=&g=1352833395&n=038d7189fd&pfund_action=donate-campaign&t=pp&tx=73397261811355915&st=Completed&amt=5.00&cc=USD&cm=&item_number=&sig=rY5HuTYgjxTawvYwdperHLSPf0PuNiHXuPG3ovU2Cpdla8OlYbZIhXseJuPPonyDLJQ2N9LiRQtf5WFYoqIDxOhOEue7EV0IGVIcfAVX0R2YJutZ86f4X8K6LICSUBV5Y5d7Ga5pUkqf6heX0pE6PisRRlYgbZNsqNPEFvMywZY%253d&sig=rY5HuTYgjxTawvYwdperHLSPf0PuNiHXuPG3ovU2Cpdla8OlYbZIhXseJuPPonyDLJQ2N9LiRQtf5WFYoqIDxOhOEue7EV0IGVIcfAVX0R2YJutZ86f4X8K6LICSUBV5Y5d7Ga5pUkqf6heX0pE6PisRRlYgbZNsqNPEFvMywZY%253d&merchant_return_link=Return+to+Test+Seller%27s+Test+Store&auth=A79DnnhlrtGZn88v3FDFOBfVYwonQP7ntkbWiWZ2J5-X9gSe8.7MD2ymmhJ0vtqclT4BU27X2LTPxIS8Y8j9xXQ&form_charset=UTF-8

    If I deactivate BPS, then the transaction completes successfully. I read the other threads on the BPS 403 errors but no of them seem to apply.

    Running BULLETPROOF PRO 5.2.2.

    Thanks for any guidance.

    Answer:

    First off the paypal script/file should be in its own folder/directory. The best site design/architecture is to compartmentalize paypal IPN or PDT or other scripts of this type.

    For important scripts such as this script you would want the ability to be able to have isolated/directory/folder specific control of the security/protection of this script file. Also by compartmentalizing this script you do not have to make security exceptions or allowances in your website root folder and throughout your entire website because of this 1 script/file.

    For example:
    Let’s say you move the paypal script/file to a folder called /paypal. you can now add an .htaccess file in the /paypal folder that will ONLY apply to files in the /paypal folder and not any other files or folders throughout your entire website. .htaccess files work in a hierarchical way – if an .htaccess file exists in a particular folder then all files in that particular folder will ONLY follow the rules of that .htaccess file.

    website root folder .htaccess file – all files in the root folder will follow the security rules in this .htaccess file and all subfolders that DO NOT have .htaccess files in them will also follow the security rules in the website root .htaccess file.
    /.htaccess

    paypal folder .htaccess file - all files in the /paypal folder will follow the security rules in this .htaccess file and not the security rules in the website root folder .htaccess file.
    /paypal/.htaccess
    /paypal/paypal-script-IPN-PDT-file.php 

    To turn off security completely for ONLY the /paypal folder you would add a RewriteEngine Off .htaccess file by doing these steps below.

    1. Open NotePad on your computer (not Word and not WordPad)
    2. Add one line of .htaccess code in the file: RewriteEngine Off
    3. Save the text file with this file name: nosecurity.txt
    4. Upload the nosecurity.txt file to the /paypal folder
    5. Rename the nosecurity.txt file to .htaccess
    6. The /paypal folder now has its own compartmentalized security rules, which are No Security/Rewriting is turned off.

    #200 Facebook Google Twitter Email Stumbleupon Digg reddit pinterest Myspace Delicious LinkedIn tumblr

    JohnS168
    Participant

    I always appreciate your insight.  Of course you are correct, but this plug-in does not lend itself to this structure without some rewrite.  I was hoping for … well an easy answer but I guess there is none so back to the code.
    Thanks again.

    #201 Facebook Google Twitter Email Stumbleupon Digg reddit pinterest Myspace Delicious LinkedIn tumblr

    AITpro Admin
    Keymaster

    Ok if the plugin has the API / PayPal / or whatever other script in a specific folder within that plugin’s folders then the simple solution is just to create the RewriteEngine Off .htaccess file in that particular folder.  It is better security practice to limit things as much as possible so by doing this method then only that particular folder would be less secure as opposed to adding a security exception site-wide in your root .htaccess file.

    #203 Facebook Google Twitter Email Stumbleupon Digg reddit pinterest Myspace Delicious LinkedIn tumblr

    AITpro Admin
    Keymaster

    I can of course provide you with some sort of security exception rule in your root .htaccess file and if all else fails then that is what i will do, but this should be considered as a last resort.  ;)

    #204 Facebook Google Twitter Email Stumbleupon Digg reddit pinterest Myspace Delicious LinkedIn tumblr

    AITpro Admin
    Keymaster

    I can of course provide you with some sort of security exception rule in your root .htaccess file and if all else fails then that is what i will do, but this should be considered as a last result method.  ;)

Viewing 5 posts - 1 through 5 (of 5 total)

You must be logged in to reply to this topic.