Yesterday an email was somehow generated to all of our forum admins.
The following error occurred when processing a paid subscription
---------------------------------------------------------------
Paid subscription handler could not recover member ID
We do not use the paid subscription function, although I had looked at it certainly over a year ago and set up a test subscription, but never added a member to it or anything. I did delete the test and disabled the function under core features.
How might this happen? I want to be sure nothing nefarious going on.
You have more than 1 forum admin? That in itself is a risk, how many admins are we talking about?
A request that is sent to subscriptions.php some times could be caused by automated bot.
Quote from: Looking on September 25, 2018, 09:19:44 AM
You have more than 1 forum admin? That in itself is a risk, how many admins are we talking about?
That is NOT an issue. My admins have been with me for 18 years. We started our forum with YaBB in 2000, and have progressef through the software variations to where we are now. They are no more of a risk than I am. 8 is the answer however.
That error comes from subscriptions.php here -
// Get the subscription and member ID amoungst others...
@list ($subscription_id, $member_id) = $gatewayClass->precheck();
// Integer these just in case.
$subscription_id = (int) $subscription_id;
$member_id = (int) $member_id;
// This would be bad...
if (empty($member_id))
generateSubscriptionError($txt['paid_empty_member']);
I suppose it's possible someone tried to hack a subscription, but wouldn't know how to get subscriptions.php to throw that error by direct request. Subscription will not activate without verification from PayPal, so any attempt to hack a sub would fail.
We just had this happen again this morning. almost 2 years later.
Wouldn't worry about it if it's only happened twice. subscriptions.php will respond to inputs even if paid subs is disabled (try this - https://www.simplemachines.org/community/subscriptions.php). Best guess is bots threw some crap at it to see what it does. Won't get them anywhere.
Thank you. :)