Security issue for free products

  • Posts: 58
  • Thank you received: 2
11 years 10 months ago #83613

HI,

Just noticed that, despite in the back-end the setting for "Display 'add to cart' button for free products" is set to "No", the button isn't in fact displayed but the whole form is rendered in the page markup. This, in some specific browsers results in an issue where the <input type="hidden" (...)> field becomes visible and/or is quite easy to "hack" the button and put the product in the cart.

In the /product/add_to_cart_listing.php file, there should be a condition to enclose this form with the if(!empty($this->row->prices)){ (...) } and avoid the form markup to be rendered, although not visible in most browsers or for the majority of users.

Just noticed this issue, because the free products I have do not render any Add to cart button anywhere, although, twice, users had just added the product to the cart, proceeded to check-out and successfully purchased a 0 (zero) value product. This generates the invoice and all the associated emails.

Hope this help to probably increase some security in the best shop component for Joomla!™ :)

Last edit: 11 years 10 months ago by mcruip.

Please Log in or Create an account to join the conversation.

  • Posts: 18
  • Thank you received: 13
11 years 10 months ago #83642

Hi mcruip!

You're ahead of me. ;)
I also wanted to address with this remark to developers HikaShop. I hope in the next version they will fix this BIG problem.

Please Log in or Create an account to join the conversation.

  • Posts: 82863
  • Thank you received: 13372
  • MODERATOR
11 years 10 months ago #83923

Hi,

Removing the form does not help at all since the product can simply be added to the cart with the add to cart HTML button's URL.
You can add the code:

if(!$config->get('display_add_to_cart_for_free_products',0) && empty($product->prices)){
						$notUsable[$product->cart_product_id]=0;
						$app->enqueueMessage(JText::sprintf('PRODUCT_NOT_AVAILABLE',$product->product_name),'notice');
						continue;
					}
before
if(empty($product->product_published)){
in the file administrator/components/com_hikashop/classes/cart.php and that will block adding free products regardless of the method when that option is turned off.

We'll add that to next version of HikaShop.

Please Log in or Create an account to join the conversation.

  • Posts: 58
  • Thank you received: 2
11 years 10 months ago #86220

The above code, solves the issue for one side, but... creates a bigger one on the other side. After implementing that code, users become unable to download free products because they get a couple of messages - The product is not available" and "The cart is empty".

In summary, either a bunch of 0.00 value invoices are issued or no free downloads are possible.

Is there a way to overcome this issue?

Also just adding a simple suggestion since I've noticed that this happens site-wide on Hikashop - any areas that are set to "hide" or "not show" in the component parameters, should, imho, be hidden by php condition check against the parameters and not by css display: none.
One of them is the comments form in the product page. It's there, in the markup, supposedly not visible on most browsers but like the add to cart button, sometimes it becomes visible, depending on the user browser and even it quite easy to "hack" it by making it visible and submit the comment.
Thanks
M

Last edit: 11 years 10 months ago by mcruip.

Please Log in or Create an account to join the conversation.

  • Posts: 82863
  • Thank you received: 13372
  • MODERATOR
11 years 10 months ago #86345

You can simply tick the "free download" checkbox of your files and they will be available directly on the product page, even if the product cannot be added to the cart.

For the comments, the elements are not hidden in CSS but removed from the view. What you see in the HTML is just the form and HTML hidden input fields but the elements for the comment, the username etc are not present. So it's not possible to submit the form like that. I agree though that this HTML should not be there either. We'll change that for next version.

Please Log in or Create an account to join the conversation.

  • Posts: 58
  • Thank you received: 2
11 years 10 months ago #86408

Hi Nicolas,
Thanks for your feedback. Great to know the html will be "out of view" in next version :)
As for the checkbox, it is ticked but I keep getting the 0,00 invoices issued. Don't worry. I'll try to figure out how can I manage free items.
Thanks again!
Cheers
M

Please Log in or Create an account to join the conversation.

Time to create page: 0.164 seconds
Powered by Kunena Forum