Apparent Security Hole in Coupons/Vouchers module

[HVLLC]

This is a SEVERE hole and everyone should be aware it is happening.

Our store has someone that is able to give themself as many $10 vouchers as he needs to reduce the amount due to below $10. Some orders he has used $40 worth of vouchers.

This really sucks because the guy seems to know what he is doing and pays with PayPal e-check that doesn't seem to clear. If I try to refund him, it looks like Paypal will pay him out of my account regardless of whether the check clears or not!!

Anyone know how he can send himself $10 vouchers? In looking at the administration area's gift vouchers list, I see mostly where "admin" was the issuer but there are several where his user ID was the issuee.

This seems to be most often the following voucher that is getting used
---------
Discount Coupons
2005-03-29
Coupon Name Coupon 10
Coupon Name
Coupon Name
Coupon Description 10 percent off with this coupon.
Coupon Description
Coupon Description
Coupon Amount 10.0000%
Coupon Minimum Order 25.0000
Free Shipping No Free Shipping
Coupon Code 5dd5cb
Uses per Coupon 10000
Uses per Customer 1
Valid Product List
Valid Categories List
Start Date 03/29/2005
End Date 03/29/2006

[michael_s]

GV_REDEEM_EXPLOIT_FIX (GVREF)
---------------------------------------------
* case: guest accounts can exploit gift voucher sent using "Mail Gift Voucher" (admin area),
* by sharing the code until somebody logs with a valid account
* or successfully created new account.
*
* obv: the session remains on user while served as a guest.
* The gift voucher can now be reused to all guest users until
* gift voucher is redeemed
* soln: before releasing the gift voucher, the user must login first
* or asked to create an account.
*
*
-- Frederick Ricaforte

Fix is here: http://www.oscommerce.com/community/...h,gift+voucher

[HVLLC]

Thanks Michael!

It seems that fix will correct the condition where he used the admin code to send himself gift vouchers. However, I am seeing where his user account has sent vouchers also.

I am afraid there is still a hole somewhere in the system allowing him to send himself vouchers for any amount and for free.

Christie

[midwestwebsites]

GV_REDEEM_EXPLOIT_FIX (GVREF)
---------------------------------------------
* case: guest accounts can exploit gift voucher sent using "Mail Gift Voucher" (admin area),
* by sharing the code until somebody logs with a valid account
* or successfully created new account.
*
* obv: the session remains on user while served as a guest.
* The gift voucher can now be reused to all guest users until
* gift voucher is redeemed
* soln: before releasing the gift voucher, the user must login first
* or asked to create an account.
*
*
-- Frederick Ricaforte

Fix is here: http://www.oscommerce.com/community/...h,gift+voucher

Is this fixed in OSCMAX 1.7? I don't see an upgrade patch for 1.5.5 so my first assmption would be no.

Thanks
Jonathan