Paypal Express Checkout Button Results In 403 Access Forbidden

Hi,



Upgraded from 4.2.4 to 4.3.1 today and have had problems with Paypal payments showing up as “Pending Payment” when they were actually paid in paypal.



Since this seems to be an issue in 4.3.1 and no fix is available, I installed PayPal Express Checkout and enabled the API's in our Paypal account.



This correctly works, and orders are updated correctly when someone checks out and completes payment.



HOWEVER… checkout is only possible via “Proceed to checkout” button on our website, the other button which is hosted by Paypal “Check out with PayPal” results in error 403 Access Forbidden.



I have checked the permissions and all are correct, not sure whats going on?

Im not sure if our problem is related, but in the interest of solving problems…

We also have issues with the PayPal express function invoked by the "Check out with PayPal"button.



It seems a bit random from day to day. Sometimes it works, sometimes not.

Today its a problem, get the message:

[quote]Error 10727 Shipping Address1 Empty: The field Shipping Address1 is required[/quote]



Its been an issue with 4.2.4. Permissions are currently not as tight as we would run , currently 644 and 600

Have dbl checked the PayPal settings, and everything is correct…as expected since it was sometimes working.



Note. I have cleared cache by &cc&ctpl and even deleted the entire /cache folder to test.

Ok, this is bugging me now…

Today I tried for hours, testing the PayPal Express, and it just would not work, instead returning the error:

Error 10727 Shipping Address1 Empty: The field Shipping Address1 is required

Conditions:

v2.4.2 (after recovering a poor 4.3.1 install) and 4.31

Set file perms to 644,

Cleared the cache by deleting the /var/cache folder, AND using the &cc&ctpl in admin.

Cleared the browser cache, and tried other browsers. … but it just would not work.



Then today, some 10 hours later I test again to to investigate, only to find that it is now working, without making changing anything at all.!

Im at a loss to understand how it could work sometimes, and others not.

Our v2.1.4 store, on the same server works fine with PayPal express, but v4.2.4 is randomly not working.

Obviously, the settings for our PP account are correct since it works sometimes.



Has anyone else had this issue?

Im also wondering if there are there any server requirement differences between v2 and v4 that may be causing this?



Cheers

I'm currently getting my hosting provider to check on the 403 permission denied error when clicking the button, ours is always giving error, never worked since we enabled Paypal Express Checkout…

I also found this which relates to presto shop but is exactly the same problem we are having with the “Check out with paypal” button on CS Cart:

Solution for PayPal 403 Forbidden Error at check out - PayPal - PrestaShop Forums



In that link they discuss the problem and a user has the solution…



Summary, the issue appears when your hosting server has certain security settings, specifically “mod_security” enabled which block the code within the button/form.



To fix, you can either get your hosting provider to disable some mod_security settings (might not be advisable) or rewrite the code to get around this (he shows what was done in presto, not sure what to do in CS Cart though…)


This issue has now been fixed by the hosting company, they must have removed some mod_security settings… however this relaxes the sites security which might not be ideal for everyone?

Ok, that makes sense. Perhaps our issue is not related.

CScart need to look into this as (from what I have read) whitelisting of mod_security rules is not the best for security. We have always had issues with cscart and mod_security settings when adding content to the website admin, which we deal with at each admin session as needed.

Since PayPal Express worked fine on previous versions, without the need for whitelisting of mod_security rules, shouldnt v4.3.x code also work fine.? Is this a potential security risk?