- Details
- Written by: Max Milbers
- Category: Latest News
- Hits: 42
Another important security and bugfix release 4.6.0
An XSS found again by Adam Wallwork. This time I did general update of our filters, many functions got enhanced. Some filters are now always active, we do not leave it to the developers. This version is NOT working on Joomla 6, we will release a new VirtueMart 5 too match all the changes.
What else happened? We heavily work on a namespaced VirtueMart version, which runs without legacy plugin on Joomla 3 up to Joomla 6.
I backported some of the new technics, so that new code may also run on the old unnamespaced version. The namespaced version will be pushed forward and the unnamespaced version, which will never run on Joomla 6, will recieve only security updates.
The main work left to be done is to sort our own compatibility aliases and make them optional. Currently even old extensions written for VirtueMart 3 and Joomla 3 may still work on the new VirtueMart 5. Yeah :-) The new VirtueMart 5 has a significantly changed core base. Btw this reached compatibilty was a kind of accident. I have been working on VirtueMart for WordPress and have started to add namespaces to VirtueMart in order to better understand which Joomla classes and libraries are really needed. As a result, VirtueMart is increasingly developing into a standalone solution based on Joomla.
DOWNLOAD Hotfix for VM3.6 - VM4.4.10
Features
- Product groups just for the active category
- Enhancements for Pagination,
- Unpublishable customfields per product
- OPC bs5 layout, display always shipment/payment options.
- userfields, added data-dynamic-update to country dropdown
- Added new namespaced files to VM unnamespaced, so new code can also work on the old 4.6 core
- New vmdefines is using the composer autoload
- New install routines
- Integrated new customised composer autoloader works case INsensitive!
- cart enhanced storing of user data
Fixes
- Fixes for vRequest
- Fix for storing userdata in OPC
- Fix for price display with unit
- Enhanced method to prevent javascript in pdfs
- Js fixes; dynupdate.js Dropdown in cart kicks the ajax updater, meant for the country dropdown
- toggleCartButton.js function iStraxx.toggleAddToCartButton, added event.stopSendtocart remove click event from addtocart button. To prevent an event queque if other scripts use this button
- changed all in one installer, integrated modules vmlanguage and vendor,
- changed default position from position-4 to sidebar-right
- changed package.xml, removed the both modules
- Important small update for the router, which prevents a 1.5 loop
- changed default order of the email userfield
- Important new JS for the OPC, added js which reacts on textinput field changes and sets a saveUserData=1 to the form, which controlls if user data should be stored
- enhanced getRegisterGuestOptions
- carthelper fixed function which tests how of a coupon got used, works now also for guests (checking per email and for registered by user id)
- It is important that the router is not calling somehow a vRequest get, because the variables are not set, which creates wild iterations, replaced some requests by proper booleans in a class.
- Router fixed problem with productdetail menu items and products displayed in a common category with menu item
- more recaptcha
- .... and more little stuff.
- Details
- Written by: Max Milbers
- Category: Latest News
- Hits: 976
Whats going on here? 3rd security release within 6 months? Yes that is unusual, but better the leaks are found and closed than wrong safety feeling. In this special case we provide also the fix for old installations. It should work for any installation higher than vm3.6
DOWNLOAD Hotfix for VM3.6 - VM4.4.8
Features:
- We added a new function checkByShowColumns which executes a basic check based on the table definition for data to be stored in the db
Fixes/Enhancements:
- Enhanced multi uploader to better use existing code
- fixed display of file type as icon
- Product module cache considers chosen currency
- Little fix for eWay to reflect namespacing
- PayPal Checkout fixed wrongly forced currency for hosted fields
- Details
- Written by: Max Milbers
- Category: Latest News
- Hits: 968
The security issue requires the permission to edit categories, so it is even likely that no shop is affected. Only multivendor shops that allow category editing may be affected. This issue was found by Adam Wallwork.
A small feature has been added for the checkboxes of “tos” and similar. It is now possible to use an article id or alias in the "default" field to load a joomla article if custom userfield and layout "tos" is selected. It is also possible to set the text to the "description" field only. Very handy for additional contract terms.
We have replaced our old TcPdf library with the official updated version 6.8.2 of TcPdf. The versioning was taken from the library. So it looks like a high jump, but the library has no new features, but is better secured and adapted for PHP8.
We have opened a new discord server which is in general free for any community member. The forum shows the invite link, if you are at least in the "Jr. Member" group, which is the first after "Beginner". You are welcome to join us there.
DOWNLOAD VirtueMart 4.4.8
NOW with a membership
Enhancements
- Registration fields appear now at the end of the address data fields. This creates are more modern flow for one page checkouts.
- Fixed getInvoiceName to use set layout.
- Order edit, adding selection of tax for shipment/payment
- Added pagination for shipment/payment administration list
- Vendor view, added address fields to skip
Bugfixes
- Function mergeSessionSgrps added cast to array
- Table Media, added fields for convert to ints
- Cart added property cart to prevent dynamic adding
- Replaced shopFunctionsF::getInvoiceName against VirtueMartModelInvoice::getInvoiceName
- vmplugin, added unsetForDebug
- Added some cast to ints storing category xref table
- Guests are only registered if isset($_REQUEST['register'] is true (optin by design)
- Fixed deletion of positions in cart
- vmJsApi fixed popup function so that we can use different containers, but load the same lib
- Search module, removed wrong post data
DOWNLOAD VirtueMart 4.4.6
NOW without membership
- Details
- Written by: Max Milbers
- Category: Latest News
- Hits: 1232
I am sorry guys, the last release was rushed by the security issue and I underestimated that testers were not testing due holidays, silvester and all that. This version now is tested very well. Many hours by different testers went into testing. I added a small tool, which fixes all images which lost the image property for you.
DOWNLOAD VirtueMart 4.4.6
NOW with a membership
Fixed/enhanced/enabled Feature
- Enabled registration on the first page of the BS5 native OPC
- Added small tool, which updates the "is image" property for all media
- Google drive images are working now (just enter the right link with https and set the "is image" checkbox)
- Fixed pagination issues. Pagination should now keep the keyword, or set tags
- Fixed order editing shipment tax
- Added hidden config searchEnabled.
- Fixed problem that people misused the notify list due following
- captcha "repaired" by just replacing the checked option notify_captcha against ask_captcha. This means that the options for the ask a question are used
- by checking if the feature is actually enabled
- by checking if the product is actually out of stock
read more here https://forum.virtuemart.net/index.php?topic=152246.msg543829
For 3rd party developers maybe interesting
- Blocked writing of js if format is pdf, we never want js in our pdfs
- vmjsapi function setPath, the second param is special now and listens on the word "admin" (which cannot be a normal path) to indicate that the script must be loaded from the admin area
Bugfixes
- Fixed problem with "is image" checkbox, which is now prechecked if the media is an image.
- Fixed captcha by removing second param of redirect
- JRoute, second param should be yes (use Xhtml)
- Fixed storing of user address if not in the checkout
- Vmvalidator is now loaded with defer true
- Product model, storing a product should not change the set filter of the list anylonger
- Fixed that sometimes a non published category was used
- Fixed precalculation of variants if an virtual empty option is used
- Router fixes for full category tree and withoiut and menu item and category name mixed mode
- bs5-stockandle layout replaced JFunctions against the vm ones
- Fix in model customfields preventing trim for null
- jQuery 3.7 needs "filter" not "find" (fixes ajax update if there are related products)
- Details
- Written by: Max Milbers
- Category: Latest News
- Hits: 1334
From time to time it happens. We have an XSS issue. Reported by Aman Rai. More Infos later. Version vm4.4.4 has a fix to prevent them.
[Update] After some further investigation together with the Joomla core team, this issue can not be exploited in the latest Joomla versions. If you have Joomla 5.1.4 or later or 4.4.8 or later installed, the issue is already fixed. We did not check against joomla 3.
[Update 2] Sorry guys, a little error found. If you store a product with media, the checkbox "is image" is not preselected. The fix is ready, but this time we want to take more time for testing to prevent such stupid errors (mea culpa).
- Adjustments for Tableupdater to prevent unecessary updating of keys in mysql8
- vmUri extended whitelist, function works now also with given query
- vRequest extended function getVar to work with given source
- install.sql fixed TINYINT(4) against TINYINT(1)
- added the option to add no searchfield
- added setConvertInt also for plugin tables
- added property "isImage" for medias, works BC
- fixed currency if none is set
- fixed adding of new states in the new admin layout
- fixed problem in router
- user registration fix if not in checkout
