[Not a bug] coupon help exploit

[diego.s.v]

This is a report from one of our customers:

- I log-in and go to My Account section.
- Then I choose an old order that contains a coupon previously purchased from some promotion ( https://www.example.com/store/index....rder_id=219960 )
- I scroll down until I can find the "Discount Coupon: xxxxxx" message which appears highlighted. If I do left-click on it, I can open a pop-up menu. I select 'copy link location'.
- I open a txt file and I paste. I get this: javascript:couponpopupWindow('http://www.example.com/store/index.php?main_page=popup_coupon_help&cID=7581')
- If I delete some data, then I get this: http://www.example.com/store/index.p..._help&cID=7581
- Then I make a copy that link and paste into the address bar of my browser. If I change the number by mantaining the rest of the address, I can free have access to all the coupons.
- Yesterday, I downloaded two products with two coupons that I randomly grabbed with the method explained above. Also, I deleted them inmediately.

[cvhainb]

If problem is in popup_coupon_help, you should to go to includes/modules/pages/popup_coupon_help and check the code.

[DivaVocals]

This is a report from one of our customers:

before you go tearing through the code (without any idea of what it is you should be looking for..) you might want to state what version of Zen Cart you are running..

[Ajeh]

I question the idea of "this is an exploit" ...

What stops me from going to Dell or Amazon or where ever and typing very very fast until I hit a valid coupon code for my order?

Eventually I would find the right combination of letters/numbers ...

If you are concerned as you use Discount Coupons with codes such as:
Oct1
Oct2
Oct3

then don't do that ...

Get a little more creative on the Discount Codes and they are not so easily guessed but still give you a trail on how you track your Discount Coupons ...