Some minor security issue.

Attacker was able to download files from pending order, by generating direct url:
download.php?order=40&id=20


/catalog/download.php:

------- Find:
// Die if file is not there
if (!file_exists(DIR_FS_DOWNLOAD . $downloads['orders_products_filename'])) die;

------- Add Below:
// Die if not delivered
require (DIR_WS_CLASSES . 'order.php');
$order = new order ($HTTP_GET_VARS['order']);
if($order->info['orders_status_id'] < 2) die;


Hope that's it!
p.s. Attached file contain fixed download.php.

More...