- Details
- Written by: Max Milbers
- Category: Latest News
- Hits: 45186
As we mentioned in the last news, VirtueMart is audited by different security companies. We are very happy that they found the persistent XSS attack before we released vm3.0.8, so the version vm3.0.8 already contains the fix.
The vulnerability discovered by Fortinet’sFortiGuard Labs with CVE number “CVE-2015-3619” is a persistent XSS attack.
Read more: Release VM3.0.9, secured by Fortinet’s FortiGuard Labs
- Details
- Written by: Max Milbers
- Category: Latest News
- Hits: 46140
Security release VM 3.0.8
Finally after some interim versions, here is the release of VirtueMart 3.0.8.
All fixes were already provided with VM 3.0.6. Additionally we released VM 3.0.6.2 to minimize problems due last security problem in PHP itself (https://github.com/80vul/phpcodz/blob/master/research/pch-020.md).
- Details
- Written by: Max Milbers
- Category: Latest News
- Hits: 84317
In VirtueMart 3.0.6 we fine tuned the completely redesigned Multi Variants which were introduced in our previous release. Let me give you a short introduction.
One of the most advanced feature of an ecommerce store is the possibility to display different variants of one product in a clear structure. The typical example are the T-Shirt product variants. We have created a small example here: http://demo.virtuemart.net/default-products/vm-t-shirt-multi-variant-detail.
Not all colours are available for any size and due to aesthetic reasons the "blue" imprints are not available for the "blue" coloured T-Shirt. Any drop-down combination points to a real product. The handling is easy as most important product attributes are accessible from the parent product (variant attributes, Sku, price). So you can easily configure more than 50 product variants in a single view, with different stock levels, price and images. If you select an already existing attribute like length, weight, etc, then you can change the value directly using the drop-down matrix in the parent product. You can also modify the display (for example rounding).
We added a new configurable automatically selected shipment and payment if more than one is available. Also the long desired feature "register as admin in the frontend" got added. We also cleaned up the Custom Fields tab in the Product Edit view to give more room for Custom Field configurations. VirtueMart 3.0.6 is also a lot faster, due to new mysql keys and more caching. The administration menu is now still usable while being collapsed.
There is a new keepAlive script, which automatically extends the session for your shoppers if there is a product in the cart. It also automatically extends the session lifetime in all backend views. It is checking for input, so it is not running endlessly. As an example, if your session time is set to 30 minutes and your guest is checking out, leaving the computer (with open browser) and returning after 50 minutes, he is still logged in. If the user is now interacting with the screen (clicking, typing), then the keepAlive scripts directly fires a keepAlive and extends the session again. Lets assume the user stores his data after 70 minutes (searching for his/her credit card), the session is still alive.
We strongly recommend anyone using an older version of VM3 to update. The release is heavily tested and some changes and fixes were done especially for 3rd party developers.
There is also a small update for vm2.6 series. There are also new keys for the sql joins to speed up your store. Also the new js handler got added for easier compatibility between vm2.6 andd vm3 extensions.
- Details
- Written by: Max Milbers
- Category: Latest News
- Hits: 42889
A bit earlier than expected, we have to release vm3.0.4 to close a vulnerability in the core. This is a real vulnerability, no exploit. The problem is a wrong error report setting, which can reveal the used server path for the real attack.
More and more people use php5.4 or php5.5, which has another default error handling and so they sometimes displayed Strict Errors (revealing the path). To prevent this, we added a function to disable the "Strict Standards" reporting for the "default" and "none" setting in Joomla. Unluckily, we left for a special debugging case the setting on enabled. So regardless the used configuration setting, you always got at least the "Simple" setting. Luckily it is not so easy to create warnings and errors in VirtueMart 3.
In case you don't want to update, here is the manual fix:
- open the file config.php at /administrator/components/com_virtuemart/helpers/config.php.
- Go to line 583 and replace
ini_set('display_errors', '1');
with
ini_set('display_errors', '0');
Or just download the new version.
The layout changes of the new version are just one important one for people who override the sublayout prices. The sublayout prices.php had a <div class="clear"></div> at the end, which got removed to increase the flexibility of the sublayout.
The new version contains a new sample product, the "child variant", which allows you to use up to 5 dropdowns to determine the product variant. It is similar to the stockable plugin, but allows also changing the variant data of any child directly from the parent. The handling of the feature is not perfect yet, but a good start. Feel free to share your ideas on our forum.
New features and bug fixes:
- cleaning of the code
- increased robustness
- increased consistency
- more j3 compatibility (minors)
- added js to fire automatically the checkout (without redirect) to show directly confirm
- link to manufacturer on the productdetail page calls the manufacturer, not any longer the product list of the manufacturer
- the rss feed in the controlpanel is now loaded by ajax, to prevent that the controlpanel isn't loaded if rss has problems
- custom media, related products and categories with image size parameter
- added var to vmview "writeJs", for example to prevent writing of js in pdfs
- added hash for categoryListTree
- changed calculator so, that default userfield parameters are better directly set if instantiated. Less problems with tax by country for guests
- fixed in vmplugin.php the function declarePluginParams
- fixed trigger plgVmDeclarePluginParamsUserfieldVM3
and some more.