We have identified a problem in osCommerce with the way it handles currencies. A malicious user can potentially checkout of an unpatched store with any number of products but have a zero order total.

This problem affects single currency stores as well.

The problem is the way the MySQL database handles uppercase and lowercase strings. When a currency is selected the 3 letter currency code is added to the URL. The problem arises when a malicious user alters this value from its uppercase setting of GBP to a lowercase gbp. The effect this has on an unpatched store is it will display all prices as zero.

To see if your store is affected by this problem try the following URL: http://www.yourdomain.com/catalog/index.php?currency=gbp (you will need to replace the first part with the correct path of your store)

If your store is affected by this, you will see all of the prices displayed as zero, if not then you can assume that this problem doesn't affect you.

If your store has this bug then you can apply this simple patch we have written.

Installation instructions

1. First you need to download the patch from here
2. Now extract the file from the zip file and upload it to your store.
3. Now backup your database using the osCommerce backup tool.
4. Access the file using your browser: http://www.yourstore.com/catalog/currency_patch.php
5. You should now see "Patch applied successfully" If you see patch failed then you probably don't need it.
6. Delete the patch file.
7. Test your store by adding ?currency=gbp to your URL.

Please note: This script is supplied as is, and no support can be given if it doesn't work.