Security release Vm3.0.8

Written by Max Milbers on .

The other two vulnerabilities were minors (non-persistent XSS) and described here:

So what happened in the meantime?
Well, our dear fellow Joomla developers kept us even more busy than usual. :-) We were forced by different circumstances to release minor interim versions. First, we had to react fast to different problems in Joomla. For example in February we were informed by "Appcheck NG", that we were distributing the dangerous file 'uploader.swf' in our Joomla 2.5.x/VM 3.0.x full-installer. After some investigations it became clear, that the file was still distributed by Joomla and was only removed when users updated Joomla. The file has been known as dangerous since J2.5.10, but is still present in the J2.5.28 installer. So we removed the file from our package and added a remove function to our install and update function of VirtueMart 2.6.16+ and 3.0.6+ to ensure that the file is deleted.

Some days later, after we had just adjusted the toolbar javascript to Joomla 3.4.0, version 3.4.1 was released, which broke the validation.js of the toolbar's 'Save' button. The reasons were "optimisations" and "deferrable" changes of low priority issues. In our humble opinion the reason for this probably is the new release strategy of Joomla not having short term and long term releases. We do welcome that Joomla dropped the STR and LTR system, but the new system seems to miss clear rules about which kind of features are allowed to be added within a minor update version. I think the VirtueMart community has already had their fingers burned by the constant implementation of new features. It took us some releases to get a feeling for it and it is a matter of experience and rules. Since Joomla has a more mutating team than VM, it would be better for the Joomla team to write down their knowledge in rules. It remains very interesting as to how the Joomla community will deal with this situation. From a developers point of view, in the past we had to ensure compatibility only for major releases, like j1.0, 1.5, j2.5, 3.3. At present it seems we have to cope with minor releases like 3.4.x, 3.5.x and so on, too. Or to put it bluntly: Joomla becomes unstable. For a developer stable/unstable means not just that the execution of the program is stable, it usually also means that the program behaves the same way as before.

I wrote the above 1 week ago and meanwhile we are suffering from new problems with routing of the language in Joomla 3.4.1, a new problem with canonical urls and more. So let's hope that all the currently open router/SEF fixes, viewable at will be tested and merged into Joomla as soon as possible. A half baked new router system creates many problems for us.

Since there are still security audits for Joomla 2.5.28, even after the announced End Of Life, we currently recommend that multilingual shops stay with Joomla 2.5.28 until we have a stable Joomla 3.4.x or 3.5 version. Our Supporter Membership implies a security maintenance contract and ensures a stable and secure system.

As many live shops show, staying with Joomla 2.5.28 doesn't mean, the system is not responsive or not mobile friendly. There are great templates in the market that offer all the mobile friendly features that are necessary to have an up-to-date e-commerce system with a stable Joomla 2.5 backbone.

We really worked hard on the new version and besides fixing bugs, we also added some features.

  • The vmbeez template is now mobile friendly (Kudos to Stefan Schumacher)
  • New option for Multivariants, which automatically creates the selected customfield "string" in the childs for you. This is very important for search plugins
  • multi variant gives correct numbers of rows (for browsepage)
  • new Sampledata with new images
  • added more not null declarations for sql
  • Fallbacks for IE9, various js, missing config values and similar
  • category name understands vmText language keys
  • Added extra option to "is_list" for the customfields S and M
  • Address handling in cart is enhanced
  • Example for making the code more robust: creating of children had a limited due the slug finder (was not doing more than 20 tries). The new function uses the slug of the most recent generated child to find a new slug.
  • Another example: Added function ensureUniqueId to keep all html id tags to ensure unique id tags (not implement for any html function, yet)
  • or Vmprices addtocart works now also with entity button, not just input
  • added vRequest::vmSpecialChars without double encoding, the reason is that lang can be a command in php (thx to Kainhofer for hint and patch)
  • and a lot more, you may investigate the repository yourself

Furthermore we released the new vm2.6.18, just minor bugfixes. 


#6 scottst 2015-06-11 16:46
Still have the blank admin error.

Have checked vendor #, shopper number, shopper is vendor etc.

Cannot edit configuration at all.

//Answer: Do not hesitate to open a ticket at we offer support for suitable rates.
Report to administrator
#5 boluak 2015-06-03 13:01
got a blank admin after update from joomla updater, aio was not given as an option. the problem seems to be with mod_virtuemat menu.
restored from backup.
now trying again

//Answer: Please view forum help:
Report to administrator
#4 JerrySCO 2015-05-19 12:01
Updated but my website has crashed after this. Hopefully I had a backup made before so now I'm afraid to update anything.

//Answer: At first please make sure VM core is updated, then update "All in One" (aio)
Report to administrator
#3 Jormolca 2015-05-12 19:07
Good thing I did backup before installing the update.
I so do. When I update a white screen when I try to enter administration.
Any solution?

//Answer by mod: should be fixed meanwhile
Report to administrator
#2 Melmoi 2015-04-27 15:36

Since I have installed it, i got a blank page in my admin :(

I have tried to uninstall it in the database but it does not fix the problem
Report to administrator
#1 Minhuelo 2015-04-21 00:17
How to update from 3.0.4?

Report to administrator

Add comment

Security code