News:

Support the VirtueMart project and become a member

Main Menu

100% discount, no payment method selected, free product

Started by Kuubs, September 07, 2020, 15:35:44 PM

Previous topic - Next topic

Kuubs

Hello,

I got a major problem with one of my websites. Running the latest Joomla version 3.9.21 and running the latest Virtuemart 3.8.4 with PHP version 7.4.9.

There is an order with 100% discount. And the coupon code is used, it's the last name of the customer, but I don't have that coupon code.

https://imgur.com/a/ChgadIm

Also there is no payment method selected, while I only have 1 payment method. And when the order was placed, it automatically went to the confirmed status, without being paid, see the screenshot. Is this a known bug? Very major leak I think.

Any idea what the issue might be?

jenkinhill

Any possibility the sie has been hacked? Any out of date 3rd party extensions?
Kelvyn
Lowestoft, Suffolk, UK

Retired from forum life November 2023

Please mention your VirtueMart, Joomla and PHP versions when asking a question in this forum

Kuubs

Quote from: jenkinhill on September 07, 2020, 16:19:36 PM
Any possibility the sie has been hacked? Any out of date 3rd party extensions?

No that is not a possibility, I don't see anything weird in the logs. Also every 3rd party plugin I use is up to date, that is why I found it extremely weird. I haven't seen this ever, and I am using Virtuemart for quite some time now.

That is why I thought it's some kind of leak?

jenkinhill

Sounds fishy to me. Do you actually have a 100% discount coupon? Have you checked the raw access logs?
Kelvyn
Lowestoft, Suffolk, UK

Retired from forum life November 2023

Please mention your VirtueMart, Joomla and PHP versions when asking a question in this forum

Kuubs

Quote from: jenkinhill on September 08, 2020, 11:12:21 AM
Sounds fishy to me. Do you actually have a 100% discount coupon? Have you checked the raw access logs?

No I don't have a 100% coupon code. I checked the access logs but I cannot seem to see anything. Around that time there aren't even lines... :S

StefanSTS

Quote from: Huubs on September 08, 2020, 10:52:56 AM
No that is not a possibility, I don't see anything weird in the logs.
....
I checked the access logs but I cannot seem to see anything. Around that time there aren't even lines... :S
Thank god, then it might have been just a glitch in the matrix.
Or a difference between local time and server time.


Quote from: Huubs on September 08, 2020, 10:52:56 AM
That is why I thought it's some kind of leak?

How do you define leak?
Probably a security leak, like a weak password, or a person with access to the backend.
But thank god, hacked is not a possibility. Or maybe?

Personally if there is no possibility for a hack, I run a check with mysites.guru.
Devastating what that tells me about how hacked sites are sometimes.

Stefan
--
Stefan Schumacher
www.jooglies.com - VirtueMart Invoice Layouts

Please use only stable versions with even numbers for your live shop! Use Alpha versions only if you know what risk you are taking.

Studio 42

I think that someone :
- found the admin credentials(or used a hack)
- added product to basket
- generated a coupon.
- used the coupon
- confirmed the order
- removed the coupon.
You can check if the coupons IDs have a hole in the sequence, if this is the case then my theory is certainly right.