That’s substantially worse than a lack of server-side validation. The server shouldn’t be expecting the client to provide the price in the first place, much less using it; at worst it should ignore it; at best it should treat the unexpected data as an error.
Well, maybe you could also use the client-submitted price to confirm that the price made it to the client and back unchanged, but that seems a little paranoid.
I think the most likely possibility is that this is an intentional bug that someone put in so they could get free tickets. You’d have to be really, really stupid to design it this way unintentionally.
I mean, if it’s actually a stateless process (no shopping cart on the server side linked to a cookie in the client), you can still quote a price to the user but include a salted cryptographic hash of the price/date/time/origin/destination/etc. that has to be sent by the client with the rest of the order so the server can confirm the quote is unaltered. But I’ve only ever seen that technique used for trivial things like expiring download links.
