Order products with stock depleted?

[yggdrasil]

I have a WHMCS install which is not open for public orders, I disabled the login and registration page.

 

But yesterday a fraudsters registered, again as usual, using as subdomain the same name as the WHMCS installation in question. I will not start into saying that I suggested this to WHMCS before (add a file list or options to have some domains to be blocked). WHMCS does not allow this, someone can order with google.com or with your own domain, and that is clearly not a good sign in terms of security as someone doing that is just trying to get network/server access to do something malicious. Anyway back to my issue...

 

I know fraudsters use bots to register automatically so I while I curious who he managed to create an account and pass an order I though, ok, he clearly didn't use the registration page but probably registered on the checkout. Fine.

 

But here comes the strange thing. All my products on this install had their Stock as 0. You can't order anything. If you go to the order link, WHMCS informs you the product is out of stock.

 

There is no need to say the fraudsters DID ordered a product with has stock as 0.

 

I was planning on using the stock feature in another install and now I'm concerned that it can be bypassed.

[sentq]

I disabled the login and registration page.

how exactly you did that? only delete URLs and/or files!

 

If you don't need any client registration from client area, this ActionHook will be all what you need

[yggdrasil]

Its only temporary, so its not fancy, otherwise I would make a permanent way to disable users. I just edited the templates with a generic message that informs users about the disabled login/registration pages.

 

Either way, that is not actually my real concern but rather why the fraudster was able still able to order products with stock depleted. (0)

[WHMCS John]

Hi,

If you allow multiple quantities of a product to be ordered, it is possible (as of v6.2.0) to order a greater quantity than is in stock. eg. If stock level is set to 5 and you order a quantity of 6, the order would go through. Perhaps your HTTP server logs will show this was used in this case?

 

Case #CORE-8867 is open with our developers in order to have this reviewed for future releases. Unfortunately, I cannot provide an estimated time for completion for this. However, once we resolve cases and push features they are available at our change log, here:

 

http://changelog.whmcs.com/

 

I apologize for the inconvenience, and appreciate your patience as we work to resolve this.

[yggdrasil]

Hi,

If you allow multiple quantities of a product to be ordered, it is possible (as of v6.2.0) to order a greater quantity than is in stock. eg. If stock level is set to 5 and you order a quantity of 6, the order would go through. Perhaps your HTTP server logs will show this was used in this case?

 

Case #CORE-8867 is open with our developers in order to have this reviewed for future releases. Unfortunately, I cannot provide an estimated time for completion for this. However, once we resolve cases and push features they are available at our change log, here:

 

http://changelog.whmcs.com/

 

I apologize for the inconvenience, and appreciate your patience as we work to resolve this.

 

Actually that installation is running v5 and the stock is set to 0 on all products, so I don't think its related to the mentioned bug. When you try to order anything you receive an error which informs the product is not available or out of stock, but somehow the fraudster managed to bypass that message and still complete the order.

 

Either way I was more curious than anything else if someone experienced something similar. If this happens in v6 I will surely research with more detail how they are doing it.

Edited January 15, 2016 by yggdrasil