[原文]Dave Nielsen and Patrick Breitenbach PayPal Web Services (aka PHP Toolkit) 0.50, and possibly earlier versions, allows remote attackers to enter false payment entries into the log file via HTTP POST requests to ipn_success.php.
PHP Toolkit for PayPal ipn_success.php Spoofed Payment Generation
Remote / Network Access
Loss of Integrity
PHP Toolkit for PayPal contains a flaw that allows an attacker to inject spoofed payments into the application's log files. This flaw exists because the application does not validate HTTP POST requests to the 'ipn_success.php' script. This could allow an attacker to create "successful" payment entries in the logs that are indistinguishable from legitimate log entries.
Currently, there are no known upgrades, patches, or workarounds available to correct this issue.