d2event

Thx for help, but I have found this myself :]

Ok nevermind I will do it like here:
http://kb.cs-cart.co...ent-information

I forgot about it, sorry

How about removing the email addys in settings?

You mean by removing email in admin.php?target=settings§ion_id=Company (Order department e-mail address)?
No, when customer place an order he will get an error on page.

Problem resolved, thank you mdekok3000 for help

Thank you its working Very simple

Hello.

I've encountered today an exploit that worries me. A "customer" has placed an order of 184 USD but the payment received via Paypal was 0.01 USD

First i thought that the user made have placed an order but he would not finalize it and then send via Paypal a small payment to try to trick me in thinking he paid for that order.

This is not the case. The order was recorded by the cart as being processed (email was sent also). This means that the buyer did placed the order via the shopping cart redirect. Else the order should have had an open status.

I also know that after being redirected to Paypal, the buyer can't change the value that he has to pay.

In the order processed email received from my cs-cart installation (1.3.5 sp2) the cart content is normal but in the payment-received-email from paypal one item is "worth" 0.01 and all others 0.00.

I've also emailed paypal but i would also appreciate your help.

Has anyone encounter this before ? If yes, what can be done.

How was this possible ?

I use cs cart 1.3.5 sp4

I had same order with this bug, Its paypal module exploit , not paypal exploit. I have another store with different script and I never had such bug!

I always deliver products without loggin on paypal (I use API only) - scammer found way to pay 0.01 USD and change status to paid.