Support

Admin Tools

#9965 Paypal IPN failure

Posted in ‘Admin Tools for Joomla! 4 & 5’
This is a public ticket

Everybody will be able to see its contents. Do not include usernames, passwords or any other sensitive information.

Environment Information

Joomla! version
n/a
PHP version
n/a
Admin Tools version
n/a

Latest post by nicholas on Sunday, 11 December 2011 03:48 CST

Thursday, 21 July 2011 02:09 CDT

TurnTex
Mandatory information about my setup:

Have I read the related troubleshooter articles above before posting (which pages?)? No
Have I searched the forum before posting? No
Have I read the documentation before posting (which pages?)? No
Joomla! version: (unknown)
PHP version: (unknown)
MySQL version: (unknown)
Host: (optional, but it helps us help you)
Admin Tools version: (unknown)


Description of my issue:

Nicholas, sorry, it is me again! I read the thread in this forum regarding .htaccess maker and paypal and the need to add the notify.php exception. I added that last week when I first started using Admintools. However, tonight, I received the following e-mail from Paypal:


Please check your server that handles PayPal Instant Payment Notifications (IPN). IPNs sent to the following URL(s) are failing:



http://www.xxx.com/administrator/components/com_virtuemart/notify.php

http://www.xxx.com/administrator/components/com_virtuemart/notify_preorder.php

http://xxx.com/administrator/components/com_virtuemart/notify.php



If you do not recognize this URL, you may be using a service provider that is using IPN on your behalf. Please contact your service provider with the above information. If this problem continues, IPNs may be disabled for your account.



Thank you for your prompt attention to this issue.


Here is the list of exception that have been running for the last week:

components/com_uddeim/captcha15.php
components/com_virtuemart/fetchscript.php
administrator/components/com_extplorer/fetchscript.php
plugins/system/GoogleGears/gears-manifest.php
plugins/content/jw_allvideos/includes/jw_allvideos_scripts.php
administrator/components/com_akeeba/restore.php
administrator/components/com_admintools/restore.php
components/com_virtuemart/show_image_in_imgtag.php
components/com_joomlawatch/js/joomlawatch.js.php
components/com_joomlawatch/js/maps.js.php
components/com_joomlawatch/last.php
components/com_joomlawatch/visits.php
components/com_joomlawatch/stats.php
components/com_joomlawatch/tooltip.php
components/com_joomlawatch/img.php
administrator/components/com_virtuemart/notify.php

I realize that I need to add the vmpre-order exception but it looks like I already properly have the notify.php exception. Can you advise on why they are saying that http://www.xxx.com/administrator/components/com_virtuemart/notify.php is failing even though there is an exception?

Thanks again for the awesome support and sorry to keep bugging you! I really do try to RTFM before posting!

Thursday, 21 July 2011 02:13 CDT

nicholas
No worries, most solutions are not obvious unless you're very well versed in the ways Admin Tools protects your site. That's why we're here; to help :)

First, add the following exceptions to the list: 
components/com_virtuemart/notify_preorder.php
components/com_virtuemart/notify.php
then clickon "Save and create .htaccess"

Then go to Configure WAF and disable the Bad Behaviour integration (I am going to remove that option as it is too trigger finger-happy and throws too many false positives). Save the configuration and you should be back in business!

Nicholas K. Dionysopoulos

Lead Developer and Director

🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Thursday, 21 July 2011 02:18 CDT

TurnTex
Thanks. Going to add it now. I already disabled the bad behavior option since it seemed to be blocking some legit potential customers.

Thursday, 21 July 2011 02:24 CDT

TurnTex
Nicholas,

Why would paypal be reporting the http://www.xxx.com/administrator/components/com_virtuemart/notify.php url when it is on the exceptions list and has been since I first installed Admintools?

Thursday, 21 July 2011 02:26 CDT

nicholas
If it is blocked by any other feature of Admin Tools (not just.htaccess Maker) PayPal would still complain.

Nicholas K. Dionysopoulos

Lead Developer and Director

🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Thursday, 21 July 2011 02:28 CDT

TurnTex
Nicholas, Are there any other settings that I need to change to make sure they are happy? I think I have them all covered but am not sure.

Also, are you the only developer here at Akeeba or is there a team of developers? Just curious.

Thursday, 21 July 2011 02:43 CDT

nicholas
Normally these are the only settings required. If PayPal still complains, you can go to Admin Tools, Web Application Firewall, Exceptions Log and see if something in PayPal's IPN response triggered an exception. If yes, you can tell me and we're going to figure out a solution. If not, we will have to review the settings in the .htaccess Maker.

I am currently the only developer in the team. Most likely the team is going to expand in the not-so-distant future, though :)

Nicholas K. Dionysopoulos

Lead Developer and Director

🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Thursday, 21 July 2011 08:16 CDT

Baldur2630
I have a similar problem. I setup a site to sell music and several users had paid via PayPal and the payment confirmed, the software sends them a download link (MyMuse Joomla 1.5 Extension), which they never got.

We found that the payment was confirmed, but the user never received the link. I added all the exceptions above (and disabled Bad Behaviour), I even removed the .htaccess apart from the Joomla 1.5 installed one and neither the developer of MyMuse nor myself could fix the problem. PayPal also had a try, and I disabled everything in Admin Tools, but still the same.

Finally I removed the entire Admin Tools by uninstalling it and it all worked perfectly immediately. I must admit I'm a bit disappointed. It's a nice component, but anything which blocks me making money and forces me to keep apologizing to customers and emailing them their purchases is a bit of a dead loss.

Thursday, 21 July 2011 08:43 CDT

nicholas
Hi!

If you disable the "System - Admin Tools" plugin and remove the .htaccess file generated by Admin Tools then there is absolutely no code of ours running on your site. I don't understand how a component which is installed but not used could have affected your site's operation. If the code doesn't run, it has no effect - it's computer code, not a magic spell. Maybe you forgot to disable the one option which was conflicting with your e-commerce extension after all, or used the Administrator Password Protection (see below).

I am, too, using Admin Tools on this site and, just like you, I sell subscriptions over PayPal. In fact, that's the only way I can make money. I have also helped build or maintain other sites except this one. I have not seen any conflicts between Admin Tools and PayPal as long as I:
a. remove the Bad Behaviour integration or add PayPal's IPN IP to Bad Behaviour's IP white list
b. Do not use the Administrator Password Protection. Note that VirtueMart is placing its IPN endpoint PHP file in the administrator directory. If you password protect the administrator directory then of course it won't work! Apache will require a username/password to access that file, ignoring the .htaccess exceptions (sorry, that's how Apache works, it's not my fault and I can obviously not change it)
c. add .htaccess exceptions for any PHP files which act as IPN endpoints

My guess is that you have a problem with the administrator password protection feature. If you remove it (e.g. remove the .htaccess and .htpasswd files from your administrator directory) the problems should go away. All of the other issues are fixed with WAF configuration changes and .htaccess exceptions.

Nicholas K. Dionysopoulos

Lead Developer and Director

🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Thursday, 21 July 2011 13:42 CDT

Baldur2630
You misunderstood me. I never disabled the plugin. One by one, I disabled all the features of Admin Tools WAF etc., then I deleted the .htaccess file and replaced it with the standard one that comes with Joomla install. I removed all the Blacklisted IP addresses from the Firewall. I made sure that there were no blocks on the ISP's Firewall(Dayana Host).

I just got so fed up with having to apologize to users, that instead of disabling the Plugin / component, I un-installed the Admin Tools, wherupon everything worked 100%.

I started with computers in 1970 and I'm an MCSE, VCP, and MCNE, not a casual user who makes obvious mistakes, and I did try all the obvious troubleshooting methods you suggest and some of my own as well.

I would LIKE to use Admin Tools on the site (it works OK on all my other sites which don't need to get payments), but I just can't afford to keep having the same problem over and over again.

I would like to work with you on this, but unfortunately this is a live site, so I can't. When you KNOW what ALL the problems are with PayPal, I'll try it again. but from this thread, it doesn't seem to be 100% solved yet. I just thought I would tell you about my problem so you can add it to the list.

Thursday, 21 July 2011 13:46 CDT

Baldur2630
Oops I forgot to mention, It wasn't only me that tried to solve the problem. The developer of MyMuse Extension tried for several days, so did Dayana Host and so did Paypal. No-one knew what the exact nature of the problem was only that the notify was being blocked and the only way it seemed to get UN-nlocked is when I uninstalled Admin Tools.

I'm not being nasty about this, in my day, (I'm retired now), I also did a lot of programming so I know all about obscure 'bugs'.

Thursday, 21 July 2011 14:10 CDT

nicholas
Well, I'm not a newbie either and I do know how things I've built work and what the potential problems are ;)

First, let's examine how PayPal works and where each option comes into play. PayPal is a. issuing IPN notifications (POSTing to a hidden URL) and b. redirecting the user back to your site, all the while POSTing the same data as IPN.

The first thing that we have to establish is what the IPN script is. If it's not going through Joomla!'s index.php files, the following two things are required:
1. If the script is inside the administrator directory, you must not use the Administrator Password Protection because Apache will block access to the script
2. You must add it to the exceptions list (allow direct access to these files) in .htaccess Maker, so that it is not blocked
3. If you are using a redirection, e.g. non-www to www, you MUST use the correct URL, e.g. http://www.example.com/adminsitrator/com_foobar/ipn.php and NOT http://example.com/adminsitrator/com_foobar/ipn.php. This is a very common mistake. Do note that HTTP 302 redirections do not pass the POST data along and cause the IPN post to fail.

This is adequate, since the "System - Admin Tools" plugin is of course not executed by scripts which run outside the context of Joomla!'s index*.php files.

If the IPN goes through Joomla!'s index.php (like it does on this very site and, I assume, happens with the music downloads software) or if you get errors when users are redirected back from PayPal to your site, you need to disable the following Web Application Firewall options:
- "Cross Site Scripting block (XSSShield)" as it may cause issues with a minority of IPN requests
- "CSRF/Anti-spam form protection (CSRFShield)" as it will get triggered by POST requests originating from a remote server (they have a blank referrer or a referrer not belonging to your site)
- Block tmpl=foo system template switch if you suspect that your e-commerce software is using any tmpl=foo parameter, where foo is not included in the "List of allowed tmpl= keywords". Alternatively, if you do know which such parameter is used, add it to the list.
- Enable Bad Behaviour filter unless you add 66.211.170.66 to "White list IPs (comma separated list)"
- You should also add 66.211.170.66 to the "Never block these IPs" list under the "Auto-ban Repeat Offenders"

Of course, you can always review the Security Exceptions log for security exceptions originating from 66.211.170.66, the IP of PayPal's IPN server. You can see which protection is triggered and disable it in WAF configuration.

That said, if you do disable ALL options in Web Application Firewall, the plugin does absolutely nothing. It goes through a series of if-blocks, it sees that nothing is enabled and simply exits. So, telling me that you disabled everything, the site didn't work and uninstalling Admin Tools allowed everything to work just "doesn't stick". As you know -probably better than me- if some code doesn't execute, its mere existence doesn't make any difference to the outcome. That's why I suspect that you didn't disable all options when doing your debugging.

If you want, you can set up a clone of your site (a dev site), linked with PayPal's sandbox -if that's an option on your e-commerce software- and I will set up Admin Tools for you so that it doesn't conflict with your site.

Nicholas K. Dionysopoulos

Lead Developer and Director

🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Friday, 22 July 2011 02:01 CDT

TurnTex
Nicholas,

Just a followup to let you know that my Paypal IPN's are working just fine and dandy now, thanks to your help!

Friday, 22 July 2011 02:13 CDT

nicholas
You're welcome :)

Nicholas K. Dionysopoulos

Lead Developer and Director

🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Saturday, 10 December 2011 19:12 CST

user6946
Hello
I have found a similar problem with DJClassifieds INP from paypal returns "IPN delivery failed. HTTP error code 403: Forbidden" from paypal Sandbox I unpublished the plugin and it works

I have try all the things listed above without success but its taken a day to find this.
It uses index.php?option=com_djclassifieds&view=paypal_notify.

I don't think it the .htaccess as I have tried the standard joomla one and still blocked and only started to use this function when I had this problem.

any ideas would be appreciated thanks
Kind regards

Sunday, 11 December 2011 03:48 CST

nicholas
There's no way you tried all of the above steps. One of those steps would have allowed you to find out the problem:

Of course, you can always review the Security Exceptions log for security exceptions originating from 66.211.170.66, the IP of PayPal's IPN server. You can see which protection is triggered and disable it in WAF configuration.


So, did you do that? What is the reason mentioned in the security exceptions log for the IP address 66.211.170.66?

Nicholas K. Dionysopoulos

Lead Developer and Director

🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Support Information

Working hours: We are open Monday to Friday, 9am to 7pm Cyprus timezone (EET / EEST). Support is provided by the same developers writing the software, all of which live in Europe. You can still file tickets outside of our working hours, but we cannot respond to them until we're back at the office.

Support policy: We would like to kindly inform you that when using our support you have already agreed to the Support Policy which is part of our Terms of Service. Thank you for your understanding and for helping us help you!