"The PHP Toolkit provides a set of scripts that faciliatate the integration of PayPal into an ecommerce service. It provides scripts that generate a PayPal form dynamically as well as scripts to process Instant Payment Notifications."

If the payment through PayPal.com was completed successfully, payment data is transferred to ipn.php, which in turn executes ipn_success.php, passing it the parsed payment data as parameters using POST request. ipn_success.php will enter the passed data straight into log file without verifying where this data came from. This means, an attacker can reproduce the POST request and enter the details of the successful payment into the log file even if there was no payment through PayPal.com

PHP Toolkit for PayPal vendor documentation recommends to set permissions for the "logs" directory "../ipn/logs/" to 777. Data from ipn_success.php suggests that the payment data log file is "logs/ipn_success.txt", which, if installed according to documentation, will have global read permission. As a result, anyone is able to view the transaction data.