Let me preface this by saying that I'm prepared to accept that I'm just not doing something right, however:
I think there's a hole big enough to fit a Mac truck through in the Paypal IPN module.
Say you've got an item that's a downloadable item worth $25. Bob checks out using Paypal IPN and is directed to Paypal, where he's presented with option of paying $25 for his purchase. Meanwhile, his order has already been created with a status of Paypal Processing - download is not yet available.
Being the sneaky sort, Bob checks the URL at Paypal and, lo!, there, not particulary well hidden in the URL is the PRICE of the item he's about to purchase. Bob snickers to himself and changes the price from $25.00 to $0.01, then resubmits. Sure enough, Paypal pops up a fresh page that allows him to pay $0.01 for this item now.
Bob completes his transaction, and this is where everything falls apart. Paypal sends the IPN to osCommerce saying that order # XX for Bob Dobbs has been VERIFIED.. The IPN module says VERIFIED? Great, let me just update the order status to "Paid" or whatever it's been configured to do. IT DOES NOT CHECK TO SEE HOW MUCH HAS BEEN PAID, OR IF THE AMOUNT PAID EQUALS THE AMOUNT THAT THE ORDER IS WORTH.
In this case, Bob's $25 order is now ready for download for $0.01. Quite a bargain, eh?
I've tested this over and over again, using cURL, not using cURL, test mode, not test mode, etc. This is with Paypal IPN v0981 for milestone 2.
Seems to me that a crucial step has been left out of the order verification process - but as I say, I'd not be surprised to find out I've just screwed something up :P Anyone else getting this?