Marketpress Security Bug

I don't know if anybody has seen this before, but you can add negative items to your shopping cart.

Thankfully with paypal or google it doesn't deduct cash out of our account. But if someone in the shipping department isn't paying attention, they could easily ship out products without realizing that it was a negative payment.

Also, the process went through via manual checkout, which we do not have enabled.

I just wanted everybody to be aware. I would expect that a php statement could prevent the - symbol from being entered into the form, or at least remove it if it shows up.

    Timothy Bowers

    Hi Tony.

    Out of interest if you tried to proceed to Paypal does it not give an error? Something like:

    10525 Invalid Data This transaction cannot be
    processed. The amount to be
    charged is zero.

    I think the ideal behaviour as I would see it is that anything with a minus in front would remove the product from the cart.

    It it processes the order with Manual payments.

    I wouldn't call this a security bug, as it doesn't allow someone to hack your system or steel information but I understand the gravity of the situation.

    I'll ping Aaron on this and let him know.


    When it was pointed out to us. We tried a transaction. It somehow automatically took us out through a manual checkout. It simply said that the payment had been processed. When we checked the admin, it said manual checkout, even though its not enabled. Paypal didn't acknowledge the attempt.

    Okay, so maybe it's not a security bug, unless you have new staff or staff in training that might deliver product that shows up as "paid" in the admin, even though it shows a negative payment.

    Hopefully it's an easy fix though right?

    Timothy Bowers

    Hey again.

    Yeah I see what you mean, if there is a negative cart quantity it just does it through Manual Process. I just set up a cart to test.

    I guess it pushes it to Manual payment so that the site owner takes a closer look at the order.

    Sure it wouldn't be to hard to fix I imagine.

    I've pinged the developer on this one.