Jump to content
  • Checkout
  • Login
  • Get in touch

osCommerce

The e-commerce.

Price Security Flaw?


EvilBeeker

Recommended Posts

So basically you change the lines indicated in the application_top.php and general.php files, instead of the SQL fix listed in the article?

 

Is this correct?

Thanks in advance!

 

- Kevin

You asked for the official fix yes?

 

Is this true? Is this a fix I should deploy? If so, is there an official patch?
Link to comment
Share on other sites

  • 4 months later...

I am unsure what version the Demo osCommerce store is running on, but the problem is still showing:

 

https://demo.oscommerce.com/index.php?currency=euR

 

If you hit that link, prices should show zero, and you will be allowed to checkout.

 

So, if a shop sells intangible (aka downloadable) products, it is possible to get the product for free.

 

If a shop sells "real" products I would hope that the Store Owner would catch a zero price/checkout BEFORE sending the product.

 

I suggest to all Store Owners that you test out your own store, and if necessary make the "unofficial" or "official" fix as suggested.

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...