Order amount can be bypassed
harm-smits opened this issue · comments
Hey
- I create an order and go to a hosted payment page (e.g. ideal).
- I open a new tab, add other products to my cart.
- I 'place' the order again, and I get redirected for another time to a hosted payment page (e.g. ideal)
- I switch back to the previous tab and finish my payment.
- Order gets approved.
There is no check for the total amount received from the transaction. Hence I am able to do this, please implement it accordingly since this is quite the problem.
As a hotfix, people can change the following lines of code from app/functions/fn.cart.php (around line L9608-L9626) from
// Remove previous failed order
if (!empty($cart['failed_order_id']) || !empty($cart['processed_order_id'])) {
$_order_ids = !empty($cart['failed_order_id']) ? $cart['failed_order_id'] : $cart['processed_order_id'];
foreach ($_order_ids as $_order_id) {
fn_delete_order($_order_id);
}
/**
* Executes when placing an order on checkout after failed orders are deleted.
*
* @param array $cart Cart data
* @param array $auth Authentication data
* @param array $params Request parameters
* @param int $order_id Deleted order ID
*/
fn_set_hook('checkout_place_order_delete_orders', $cart, $auth, $params, $_order_ids);
$cart['rewrite_order_id'] = $_order_ids;
unset($cart['failed_order_id'], $cart['processed_order_id']);
}
to
// Remove previous failed order
if (!empty($cart['failed_order_id']) || !empty($cart['processed_order_id'])) {
$cart['rewrite_order_id'] = [];
unset($cart['failed_order_id'], $cart['processed_order_id']);
}
Hi, thanks for your message. We'll look into this!
This should be fixed in the 1.1.4 release.
Just to be sure, but no CVE?