Problem: Magento checkout redirects back to the cart after selecting shipping method
Environment: Magento 1.4.0.1, CentOS 5.5 (behind an nginx/0.8.53 proxy), Apache/2.2.3, Linux 2.6.18-194.26.1.el5xen x86_64
Steps to Reproduce:
- Add a product and click Checkout
- https://gentlemanjoe.com/index.php/checkout/cart/
- PROCEED TO CHECKOUT
- https://gentlemanjoe.com/index.php/checkout/onepage/
- Express Checkout -> CONTINUE -> Fill out form -> Ship to this address -> CONTINUE -> Shipping Method -> Ground Shipping (the only choice) -> CONTINUE -> Redirects back to https://gentlemanjoe.com/index.php/checkout/cart/
Clues:
- Using Firebug, I found that after clicking CONTINUE the last time to select the shipping method, an XHR request is made against https://gentlemanjoe.com/index.php/checkout/onepage/saveShippingMethod/, and this request fails with an HTTP 503 Error. Here are the error details:
There has been an error processing your request Notice: Undefined index: SESSIIID in /var/www/gentlemanjoe.com/app/code/core/Mage/Payment /Model/Method/Cc.php on line 388 Trace: #0 /var/www/gentlemanjoe.com/app/code/core/Mage/Payment/Model/Method/Cc.php(388): mageCoreErrorHandler (8, 'Undefined index...', '/var/www/gentle...', 388, Array) #1 /var/www/gentlemanjoe.com/lib/Varien/Autoload.php(93): include('/var/www/gentle...') #2 [internal function]: Varien_Autoload->autoload('Mage_Payment_Mo...') #3 /var/www/gentlemanjoe.com/app/code/core/Mage/Payment/Model/Method/Ccsave.php(29): spl_autoload_call ('Mage_Payment_Mo...') #4 /var/www/gentlemanjoe.com/lib/Varien/Autoload.php(93): include('/var/www/gentle...') #5 [internal function]: Varien_Autoload->autoload('Mage_Payment_Mo...') #6 [internal function]: spl_autoload_call('Mage_Payment_Mo...') #7 /var/www/gentlemanjoe.com/app/code/core/Mage/Core/Model/Config.php(1204): class_exists('Mage_Payment_Mo ...') #8 /var/www/gentlemanjoe.com/app/Mage.php(432): Mage_Core_Model_Config->getModelInstance('payment /method_...', Array) #9 /var/www/gentlemanjoe.com/app/code/core/Mage/Payment/Helper/Data.php(70): Mage::getModel('payment /method_...') #10 /var/www/gentlemanjoe.com/app/code/core/Mage/Payment/Block/Form/Container.php(117): Mage_Payment_Helper_Data- >getStoreMethods('1', Object(Mage_Sales_Model_Quote)) #11 /var/www/gentlemanjoe.com/app/code/core/Mage/Payment/Block/Form/Container.php(44): Mage_Payment_Block_Form_Container- >getMethods() #12 /var/www/gentlemanjoe.com/app/code/core/Mage/Core/Block/Abstract.php(211): Mage_Payment_Block_Form_Container- >_prepareLayout()
… I cut it off for brevity. You can see the full stack trace at https://gentlemanjoe.com/errors/report.php?id=448265828398&skin=default
Background:
I am not the original developer of the site, just helping the owners troubleshoot this issue, which began on May 27 with seemingly no changes on their end. I have zero Magento knowledge and only basic PHP experience.
Any ideas?
Best Answer
To me, it clearly sounds like your Magento is badly corrupted.
I can't confirm that because the URL you pasted links to a Shopify website but let me explain.
Regarding the error
That error happens in a very critical file in terms of security,
app/code/core/Mage/Payment/Model/Method/Cc.php
being the file that handles the Credit Card payment method.Having an error thrown here in a core file is already a red flag.
On top of that, line 388 does not exist in a native Magento 1.4.0.1 install, you can find the original file here: https://github.com/OpenMage/magento-mirror/blob/1.4.0.1/app/code/core/Mage/Payment/Model/Method/Cc.php
That is a super red flag.
Two possibilities:
Unfortunately, I have a bad feeling that you're in the second case.
That bad feeling comes from the fact that the key that does not exist and that triggers the error is
SESSIIID
. It looks to me that the corrupted file is trying to steal the session ids to be able to retrieve the credit card details.One of the most famous Magento vulnerability regarding credit card hijacking uses
SESSIID
(with two i, there's three in your code) and I'm pretty that's what the hacker wanted to achieve: https://www.byte.nl/blog/widespread-credit-card-hijacking-discoveredFixing the problem
First, I suggest you run the website against MageReport: https://www.magereport.com/
It will help you finding out the vulnerabilities of your website.
Second, I suggest you roll back all the core files to the original ones.
My personal suggestion would be to use the MageRun plugin developed by AOE to find out which core files have been modified: https://github.com/AOEpeople/mpmd#command-mpmdcorehacks
Finally once you've rolled back the core files to their original state, I suggest you install all the missing patches. You can download them here: https://www.magentocommerce.com/download