Not sure if it's a VM bug or Paypal or what, but last night a customer placed two orders. One for $52.49 and one for $104.96...however when I check paypal, he only paid $0.01 and $0.02. My products are downloadable and the orders were confirmed and show that he already downloaded them all.
Joomla 2.5.6
VM: 2.0.12f
I just updated Joomla to 2.5.8 and VM to 2.0.16. Maybe that'll fix it?
Upgrading didn't help...the son of a &%@$ registered another account and got me again...
This sounds reallly nasty, did you check your coupons?
IP block
We check this issue, but dont have a real clue atm.
Thanks for the reply.
He didn't use a coupon and I don't have any set up atm. Could it be a bug with the paypal plugin?
Quote from: PRO on January 03, 2013, 23:35:17 PM
IP block
I blocked his IP through cpanel after the second time he got me.
Please answer valeries pn
I think he trick the payment plugin plgVmOnPaymentNotification, do you turn on your log , if yes, there should be log files in '/logs/paypal-ipn.log'. Or else, in your paypal generated table, there's field that stored all data that sent by paypal to your site, it is "paypalresponse_raw" , please check that table as well...
Might sound a little bit stupid, but I also would send the customer an email asking him how he did that. Perhaps you are lucky and he lets you know.
I'd have a look at the access log, as that may indicate if his behaviour was different from a normal purchaser. eg direct access to some BE file?
The plugin should be checking that the price has not been altered when the IPN is sent.
If not, it should be fairly easy for someone to fix.
Hello
I have contacted Shawn by PM to understand what happened exactly. I am waiting for him.
Meanwhile, we have checked the code.
We found that the call to check that the IPN notification is valid must be done via SSL through the port 443.
When the call was done via a non SSL and to the port 80, then no answer was sent from Paypal, but the IPN was validated.
We have fixed that in version 2.0.16c.
Shawn I still would like that you contact me, to make sure that this was the problem.
Hello
QuoteThe plugin should be checking that the price has not been altered when the IPN is sent.
If not, it should be fairly easy for someone to fix.
Yes this is done: that the amount and the currency returned by Paypal are the same as the one sent to Paypal.
Thanks to Valerie and Max for all your help via skype.
It turns out that I had an older version of the Paypal plugin which is suspected to be the problem. When updating VM, I didn't realize that I also had to update the AIO component separately. So, while I was running VM 2.0.16, I actually had v2.0.8 of the AIO.
Per Max's advise, I updated to VM 2.0.16c and also aio to 2.0.16c, and that should be the end of the problem! :)
It was a quite good awakening call.
We additionally checked the security now and found also some extra validation methods.
This is serious issue and i recommend that vm team give this notification for all vm2 user...
The problem is only for versions lower than 2.0.12F I think. I want to release the 2.0.16C asap as bugfree I can imagine. Additionally we want provide a paypal version with the fixes for stores down to 2.0.6. The fixed paypal plugin for the 2.0.14 will be uploaded this evening. Expect a notification tomorrow for alll users with provided versions for non updaters. All others can directly use 2.0.16c. 2.0.16D will be in the ARS and all people updating regularly will have it tomorrow in the "box".
@milbo...ah keep the good think comin'...
Can i ask how you got downloadable content on Virtuemart 2? As far as i can tell, they removed this feature since 2.0. Making me think about installing Virtuemart 1.x when needing downloadable goods
I hope this isnt classed as a thread hijack :-p
They have a paid plugin you can use. I use one called digitoll download. If you goggle digitoll download, you'll find it.
Sent from my HTC One X using Tapatalk 2
yeh, threadhijacker :-)
For the complete list look here
http://forum.virtuemart.net/index.php?topic=111890.msg376142#msg376142
We did not remove it on the purpose to annoy you. The reason is exactly that there are now 4 different plugins with different advantages, more variety and better support.