View Full Version : Customers see "Credit Card" payment method and fields by default

07-09-2010, 09:52 AM
We have only the "Credit Card Via PayPal" and "Money Order" payment modules enabled.

Yet, when a customer is checking out, and clicks "Continue" from shipping, the first load of checkout_payment.php always shows a "Credit Card" area with the entry fields including cc# and cvv (!!!) The only way to get the expected radio-button menu for the two we actually support is to click the small check box labeled "Check this if you want to use a different payment method", and then click Continue again.

Needless to say, this is counter-intuitive. And I don't think it used to behave this way. How do I fix this so that the customer's first landing on checkout_payment.php shows the correct payment method options? I don't want customers entering their CC# at all because this webstore is not SSL enabled (hence the PayPal).

07-09-2010, 01:53 PM
I am sorry to tell you but ... you have been hacked! If you are seeing an alternative payment method they are skimming your site for credit cards.

Most likely you have:

not removed Filemanager or language manager.
renamed admin
left your permission set incorrectly

Read this post to work out what they have done and how to fix it. (http://www.oscmax.com/forums/oscmax-v2-features-discussion/22383-strange-checkout-error-check-if-you-want-pay-different-payment-method.html)

Then read this one - to secure your site. (http://www.oscmax.com/forums/oscmax-v2-features-discussion/22383-strange-checkout-error-check-if-you-want-pay-different-payment-method.html)


07-09-2010, 03:40 PM
Ugh! Well, I'm equally sorry to receive the news but at least it's an explanation.

We are currently running 2.0RC3, which I see is ancient by now. This is partly my fault for not having upgraded in so long. I see reference in one of Michael's blogs to there being 'no easy upgrade path' to the current releases from RC3... can you point me to any place where a difficult path is outlined? :-)

07-09-2010, 05:27 PM
Download the latest release and look in the Upgrade directory.
Also, be sure to check out the wiki on this site for stacks of information.

07-09-2010, 05:32 PM
It is fairly easy to upgrade if you have not heavily modified your site's core code (added a bunch of custom hacks/mods). If you have, that complicates the process. Because RC3 is so outdated, I recommend doing a stepwise upgrade to get your site to v2.0.3 stable, then upgrade to 2.0.25 in a second process.

The way I usually handle these really old sites (I upgrade a lot of them) is to get them to 2.0.3 then if there are a lot of customized files in the site, I then copy over my upgrade of the site to a stock 2.0.3 fileset that I have checked out of SVN. This little trick is awesome for getting SVN to do all the heavy lifting. The next step is to then do an svn update to the latest 2.0.25 revision.

SVN will handle updating all the files from 2.0.3 to 2.0.25 and merging most custom code. Any of your customized files that cannot be merged or have code conflicts will be flagged by SVN and you can easily do a manual three-way-merge of the problem files. I use this method and it saves hours and hours of manual file checking. If you have no idea what SVN is or what I am talking about, you may want to read up on subversion.

Alternately, a good short term solution is to patch all the known security holes. That will allow you to continue to run your current site securely. To do the security patches you can see all the security releases and apply them manually to your site.

07-27-2010, 10:00 AM
Thanks very much for the detailed reply, Michael!

I'll let you know how it goes.

09-19-2010, 07:38 PM
I have, with great difficulty, cobbled together a merge of my ancient code with 2.0.3, and excised all the crud that the malicious hack added.

But now I am getting a curious issue-- whenever I try to load certain pages (including products_info.php) I get an "endless redirect" error in my browser. Using curl I see the problem appears to be that, although the correct page content is loading, the HTTP response header is "301 Moved Permanently" rather than "200 OK", with the given 'redirect' URL identical to the one in the original request. That accounts for the browser error but I have no idea WHY this might be happening!

11-07-2010, 07:13 PM
For anyone who comes along with a similar issue in future:
v2.0.3 is SVN revision # 170
v2.0.25 is SVN revision # 430

so to use Michael's SVN trick, just "svn checkout -r 170" etc etc, copy your modified 2.0.3 install over that, then "svn update -r 430"

it DOES save time! :D