Author Topic: 100% discount, no payment method selected, free product  (Read 382 times)

Huubs

  • Jr. Member
  • **
  • Posts: 235
100% discount, no payment method selected, free product
« on: September 07, 2020, 15:35:44 pm »
Hello,

I got a major problem with one of my websites. Running the latest Joomla version 3.9.21 and running the latest Virtuemart 3.8.4 with PHP version 7.4.9.

There is an order with 100% discount. And the coupon code is used, it's the last name of the customer, but I don't have that coupon code.

https://imgur.com/a/ChgadIm

Also there is no payment method selected, while I only have 1 payment method. And when the order was placed, it automatically went to the confirmed status, without being paid, see the screenshot. Is this a known bug? Very major leak I think.

Any idea what the issue might be?

jenkinhill

  • UK Web Developer & Consultant
  • Global Moderator
  • Super Hero
  • *
  • Posts: 27842
  • Always on vacation
    • Jenkin Hill Internet
Re: 100% discount, no payment method selected, free product
« Reply #1 on: September 07, 2020, 16:19:36 pm »
Any possibility the sie has been hacked? Any out of date 3rd party extensions?
Kelvyn

Jenkin Hill Internet,
Lowestoft, Suffolk, UK

Unsolicited PMs/emails will be ignored.

Please mention your VirtueMart, Joomla and PHP versions when asking a question in this forum

Currently using VM 3.8.4.10335 on Joomla 3.9.21 PHP 7.4.9

Huubs

  • Jr. Member
  • **
  • Posts: 235
Re: 100% discount, no payment method selected, free product
« Reply #2 on: September 08, 2020, 10:52:56 am »
Any possibility the sie has been hacked? Any out of date 3rd party extensions?

No that is not a possibility, I don't see anything weird in the logs. Also every 3rd party plugin I use is up to date, that is why I found it extremely weird. I haven't seen this ever, and I am using Virtuemart for quite some time now.

That is why I thought it's some kind of leak?

jenkinhill

  • UK Web Developer & Consultant
  • Global Moderator
  • Super Hero
  • *
  • Posts: 27842
  • Always on vacation
    • Jenkin Hill Internet
Re: 100% discount, no payment method selected, free product
« Reply #3 on: September 08, 2020, 11:12:21 am »
Sounds fishy to me. Do you actually have a 100% discount coupon? Have you checked the raw access logs?
Kelvyn

Jenkin Hill Internet,
Lowestoft, Suffolk, UK

Unsolicited PMs/emails will be ignored.

Please mention your VirtueMart, Joomla and PHP versions when asking a question in this forum

Currently using VM 3.8.4.10335 on Joomla 3.9.21 PHP 7.4.9

Huubs

  • Jr. Member
  • **
  • Posts: 235
Re: 100% discount, no payment method selected, free product
« Reply #4 on: September 08, 2020, 23:26:51 pm »
Sounds fishy to me. Do you actually have a 100% discount coupon? Have you checked the raw access logs?

No I don't have a 100% coupon code. I checked the access logs but I cannot seem to see anything. Around that time there aren't even lines... :S

StefanSTS

  • Global Moderator
  • Full Member
  • *
  • Posts: 546
  • VirtueMart Version: VM 4.2 on Joomla 4.5
Re: 100% discount, no payment method selected, free product
« Reply #5 on: September 09, 2020, 12:02:39 pm »
No that is not a possibility, I don't see anything weird in the logs.
....
I checked the access logs but I cannot seem to see anything. Around that time there aren't even lines... :S
Thank god, then it might have been just a glitch in the matrix.
Or a difference between local time and server time.


That is why I thought it's some kind of leak?

How do you define leak?
Probably a security leak, like a weak password, or a person with access to the backend.
But thank god, hacked is not a possibility. Or maybe?

Personally if there is no possibility for a hack, I run a check with mysites.guru.
Devastating what that tells me about how hacked sites are sometimes.

Stefan
--
Stefan Schumacher
www.jooglies.com - VirtueMart Invoice Layouts

Please use only stable versions with even numbers for your live shop! Use Alpha versions only if you know what risk you are taking.

Studio 42

  • Contributing Developer
  • Sr. Member
  • *
  • Posts: 4362
  • Joomla & Virtuemart developper
    • Studio 42 - Virtuemart & Joomla extentions
  • VirtueMart Version: 2.6 & 3
Re: 100% discount, no payment method selected, free product
« Reply #6 on: September 10, 2020, 23:37:49 pm »
I think that someone :
- found the admin credentials(or used a hack)
- added product to basket
- generated a coupon.
- used the coupon
- confirmed the order
- removed the coupon.
You can check if the coupons IDs have a hole in the sequence, if this is the case then my theory is certainly right.