Shopping Cart Software

HVLLC · #1 03-29-2005, 12:04 PM

This is a SEVERE hole and everyone should be aware it is happening.

Our store has someone that is able to give themself as many $10 vouchers as he needs to reduce the amount due to below $10. Some orders he has used $40 worth of vouchers.

This really sucks because the guy seems to know what he is doing and pays with PayPal e-check that doesn't seem to clear. If I try to refund him, it looks like Paypal will pay him out of my account regardless of whether the check clears or not!!

Anyone know how he can send himself $10 vouchers? In looking at the administration area's gift vouchers list, I see mostly where "admin" was the issuer but there are several where his user ID was the issuee.

This seems to be most often the following voucher that is getting used
---------
Discount Coupons
2005-03-29
Coupon Name Coupon 10
Coupon Name
Coupon Name
Coupon Description 10 percent off with this coupon.
Coupon Description
Coupon Description
Coupon Amount 10.0000%
Coupon Minimum Order 25.0000
Free Shipping No Free Shipping
Coupon Code 5dd5cb
Uses per Coupon 10000
Uses per Customer 1
Valid Product List
Valid Categories List
Start Date 03/29/2005
End Date 03/29/2006

**michael_s** · #2 03-29-2005, 01:07 PM

Quote:

GV_REDEEM_EXPLOIT_FIX (GVREF)
---------------------------------------------
* case: guest accounts can exploit gift voucher sent using "Mail Gift Voucher" (admin area),
* by sharing the code until somebody logs with a valid account
* or successfully created new account.
*
* obv: the session remains on user while served as a guest.
* The gift voucher can now be reused to all guest users until
* gift voucher is redeemed
* soln: before releasing the gift voucher, the user must login first
* or asked to create an account.
*
*
-- Frederick Ricaforte

Fix is here: http://www.oscommerce.com/community/...h,gift+voucher

HVLLC · #3 03-31-2005, 10:32 AM

Thanks Michael!

It seems that fix will correct the condition where he used the admin code to send himself gift vouchers. However, I am seeing where his user account has sent vouchers also.

I am afraid there is still a hole somewhere in the system allowing him to send himself vouchers for any amount and for free.

Christie

midwestwebsites · #4 04-01-2005, 11:14 AM

Quote:

Originally Posted by msasek

Quote:

GV_REDEEM_EXPLOIT_FIX (GVREF)
---------------------------------------------
* case: guest accounts can exploit gift voucher sent using "Mail Gift Voucher" (admin area),
* by sharing the code until somebody logs with a valid account
* or successfully created new account.
*
* obv: the session remains on user while served as a guest.
* The gift voucher can now be reused to all guest users until
* gift voucher is redeemed
* soln: before releasing the gift voucher, the user must login first
* or asked to create an account.
*
*
-- Frederick Ricaforte

Fix is here: http://www.oscommerce.com/community/...h,gift+voucher

Is this fixed in OSCMAX 1.7? I don't see an upgrade patch for 1.5.5 so my first assmption would be no.

Thanks
Jonathan

Similar Threads
Thread	Thread Starter	Forum	Replies	Last Post
Tax & Coupons Just Stopped working???	toddw	osCMax v2 Features Discussion	2	02-16-2006 11:16 AM
500 Internal Server Error (with no apparent reason!)	Willum	osCMax v2 Installation issues	5	08-19-2005 02:19 AM
Discount Coupons	NickW	osCMax v1.7 Discussion	1	03-26-2005 10:59 AM
Help With Credit Class / Coupons	swrecruiter	osCMax v1.7 General Mods Discussion	1	02-08-2004 11:50 PM
problems with coupons	dreamstyles	osCMax v1.7 General Mods Discussion	0	01-02-2004 03:46 PM

Shopping Cart Software

Apparent Security Hole in Coupons/Vouchers module

Apparent Security Hole in Coupons/Vouchers module

Similar Threads