Details

Written by: Valérie Isaksen

Category: Latest News

Published: 23 October 2014

Hits: 41654

We are pleased to announce the release of VirtueMart 2.6.12

Special Realex Offer

Realex Payments, one of Europe’s fastest growing payment solution providers, is delighted with its latest integration with Virtuemart, the free online shop solution. The integration with Virtuemart provides ecommerce merchants with a one-stop solution for merchant online payment processing. To mark this latest release, Realex Payments are offering 2 months FREE payment processing to all new VirtueMart merchants to their platform.

Improve your online conversions with Realex Payments’ latest shopping cart integration with VirtueMart.

Realex Payments are offering 2 months FREE payment processing to all new VirtueMart merchants to their platform.

Sign Up today

VirtueMart 3 almost ready to launch

We release VirtueMart 3 next week.

You have not tested yet? it is time to do it.

You think you found a bug? please report it on the forum.

Your are a 3rd party VirtueMart developer? Test your extension against the new version.

Updates and bug fixes VirtueMart 2.6.12

• Category tree cache considers language now
• Realex: handling503; incorrect eci being submitted when card type is mastercard and eci value returned is 2;returntovm: missing option com_virtuemart; 503 dont block transactions; invalid payment infos errorcode 509; maestro cards, redirect in case of payment details error; added partial refund and partial capture
• Klarna: ok with opc off; country names; company/private fixed
• Vmpdf uses folder VMPATH_ROOT instead of K_PATH_IMAGES
• Encrypted data is stored encrypted in vmtable cache
• Installation routine shows right options for fullinstaller
• VmTable, enhanced Cache and other optimisations
• Payments autosubmit jquery
• Added VMPATH_ROOT constants for compatibility with VM3
• Fixed recipient in invoice/view.html.php rendermaillayout
• Controller alias vmplg
• AIO: removed permission checking, list installed plugins
• Unpublished the uk states
• Permissions use joomla and/or virtuemart
• Storemanagers can edit orders now (as requested)
• Removed "displayed name" from order edit address
• Loadvmtemplatestyle should now always load the fe style even fired from BE
• Preloading js
• Enhanced Registration email added address,
• Fixed typo in config/checkout
• Vmtable: added bindto
• _getlayoutpath: checks if layout is in plugin folder and then plugin subfolder
• Access to update tools does not use issupervendor function anylonger
• Fixed error in shoppergroup list, that ordering for ids deleted the "default" shoppergroup 
• Added order status list for desired attachment order status 
• Readded to continue_link_html the class in the link class="continue continue_link"
• Added attachment for mail. Use attach_os as array in the config file for the desired orderstatus 
• Added option reuseorders, also settable by config file.
• Minor in userfields load function
• Payments using json_encode
• Shopper group name in payment/shipment
• Just added the filter for the dot again (slug creation)
• Joomla update server fix

Details

Written by: Max Milbers

Category: Latest News

Published: 12 September 2014

Hits: 59814

If you are using a version lower than 2.6.10, you should update right away.

During a routine audit done by the Sucuri firm, they found a critical vulnerability and informed the VirtueMart team.
The bug was immediately patched (in record time) and the version 2.6.10 (stable version) and 2.9.9b (in RC state) fixes this issue.

If you cannot update VirtueMart, please follow those instructions.

Our Security policy

There were recently some misconceptions about our security policy. Some people complain that we are not following the "Full Disclosure" philosophy (please read Full disclosure (computer security) ). The "Full Disclosure" comes from the beginning of the open source movement and is also to see as an answer to the "non-disclosure" behavior of proprietary software vendors. The experience was that sent vulnerabilities were not fixed. So the people learnt that revealing the vulnerability in public lead to a fast reaction of the blamed company. The evil guys of this business just started to blackmail companies.
There are of course also some other advantages. In case of Linux kernels, the idea is that all together work on a fix for it. The leaks are often a lot complexer and so the more people know about the faster it is fixed. Furthermore anyone should be able to learn from the leak to prevent the issue in future.

In our case, the most security leaks are fixed within minutes, maybe within 1-2 hours. So the argument, the more people the faster a fix is ready is not suitable for joomla/extensions. So we are following the philosophy of the "responsible disclosure" (please read Responsible disclosure ). Also sucuri.net is following this idea. They are professionals and know how to handle a vulnerability for the best of all users. They informed us secretly about the problem. We fixed it within a day, they tested our fix and asked if it is the right time to inform their customers. We did the most important thing, to provide a fix, only missing was the "responsible disclosure". So I agreed, but misunderstood them, because I did not meant that they disclosure the vulnerability in detail. A correct disclosure in our environment (php, opensource) must also always contain an explanation to fix the issue manually. The other reason is that the problem is actually in the joomla user "model" , and it should be also fixed in the JUser to prevent misuse of it before we should do the "Full disclosure". Persuading the joomla developers to protect their model got complexer than thought. Their argument is that there is no problem as long as you are using the Joomla Form. We got just stuck and must now prepare an explanation, why it is always bad to allow any form to override internal variables of an object.

How to get the security fix without updating VirtueMart

If you cannot update VirtueMart, there are two possibilites:

Exchange the file models/user.php

The easiest way is just to exchange the user model with the new one:

1. Dowload the latest version (VirtueMart 2.6.10 or VirtueMart 2.9.9b)
2. Replace the file /administrator/components/com_virtuemart/models/user.php with the new one.

The user model is almost untouched for a year, so you should first try just to exchange the model.

Patch the user.php file

If you think your user model is too heavily modified, it is enough to add a unset($data['isRoot']); to the top of the user store function:

1. Go to /administrator/components/com_virtuemart/models/user.php
2. Search for the function named function store(&$data,$checkToken = TRUE)
3. Replace if (!$user->bind($data)) { with

   if(!$user->authorise('core.admin','com_virtuemart')){
   	$whiteDataToBind = array();
   	$whiteDataToBind['name'] = $data['name'];
   	$whiteDataToBind['username'] = $data['username'];
   	$whiteDataToBind['email'] = $data['email'];
   	if(isset($data['password'])) $whiteDataToBind['password'] = $data['password'];
   	if(isset($data['password2'])) $whiteDataToBind['password2'] = $data['password2'];
   	} else {
   		$whiteDataToBind = $data;
   	}
   // Bind Joomla userdata
   if (!$user->bind($whiteDataToBind)) {
   		.....
   

We just creating a new array and setting any variable manually (white list).

The real problem behind all this

The JUser model bind function just loops through the properties of the class and sets data with the same name to the object. The filtering is done by an attached JForm (Gui elements) to filter the input of the data. So if developers use the joomla model without form, they have to filter the data themself, else it is possible to override internal variables of the object.
The binding for normal JTables does not override internal variables as long you follow the habit/convention to name them with a trailing underscore _. The check function additionally ensures that the data is correct. But the juser object does not follow the own joomla habits. Additionally it is very unclean to use MVC and to have a model, which needs GUI elements to do correct filtering. There exists enough tasks to use a model without any GUI. For a developer just using the joomla API it is like a trap. A model should be secure by itself, without the need of a "View" or "Controller" to be safe. SCNR, but joomla 2.5.16 fixed a security leak in some the JFormFields. So other solutions based on that were also very unsecure for years.

The suggested fix in the joomla user model is very easy. Just unset the sensitive data, if a user is not admin. This should be done in the bind function and in the store function. The advantage lays on the hand.
A lot other extensions for joomla become more secure. It is very unlikely that only VM has this problem.
People can do a small joomla update and still use their modified extensions.

Personally I see the request for full disclosure as a typical academic, but noobish request. Not only the good guys learn from disclosures. The black hat fraction also learns from it. It is important to differ and sometimes a full disclosure makes absolut sense, but not always. It depends on the complexity of the problem, how many people already know about, the reaction of the maintainers, and so on.

Details

Written by: Valérie Isaksen

Category: Latest News

Published: 15 August 2014

Hits: 33987

We are pleased to announce that Realex is now available through VirtueMart’s ecommerce solution.

Sign Up today

and receive 1 month free processing!

Use the Realex Payments integration as part of your VirtueMart e-commerce solution and benefit from a seamless, no-hassle integration offering industry-leading features and support.

Why Choose Realex?

Realex Payments is a leading European payment services provider, with offices in Dublin, London and Paris. We currently process in excess of €24 billion annually for over 12,500 clients including Virgin Atlantic, notonthehighstreet.com, Vodafone, Paddy Power and BooHoo.

Some of the key reasons merchants choose us over other gateways:

• 3DSecure - Protect yourself against fraud and chargebacks. We fully support 3DSecure, which provides additional protection should a chargeback occur.
• Access your funds quickly - The Acquiring Banks we work with typically settle funds into your account within 2 days, unlike 7 days for some of our competitors.
• Pricing - As you scale your business, other payment processors can very quickly become expensive. We offer a flat per transaction rate that can be tailored to your business as you grow.
• Customer Service - We don’t believe in IVRs, simply pick up the phone and speak with a familiar voice

Realex Features

"Realex Payments are delighted to have partnered with the VirtueMart core team to build a simple to use and feature-rich integration."

Features include:

• Processing for all card payment types
• Major alternative payment methods (PayPal, Sofort, GiroPay, ELV, iDeal)
• Transactions processing in 150 currencies
• Fully PCI level 1-compliant, responsive and customisable hosted payment page
• 1-Click checkout for a seamless checkout experience
• Secure Card Tokenisation for recurring payments - RealVault
• Dynamic Currency Conversion to allow shoppers to pay in their currency
• Fraud checks: CVN, 3DSecure (incl. Amex SafeKey) and AVS
• Comprehensive suite of fraud management tools - RealScore
• Delayed/Deferred Settlement
• Comprehensive Order Management (refund, void, settle) from the VirtueMart back-office
• Plug and play access to our APIs
• Comprehensive, configurable and flexible transaction routing capability

To Find Out More

For more information please contact us on This email address is being protected from spambots. You need JavaScript enabled to view it. or Sign up with Realex Payments today to get one month free processing and join the hundreds of VirtueMart merchants who know and trust us to process thousands of orders per week.

Updates and bug fixes VirtueMart 2.6.8

• Preventing double orders (3rd party developers may adjust their payments)
• Shipment price display in product details
• Better Itemid handling in the router
• Thumbnail resizing if one dimension is 0 (same as already for vm3)
• Router is using category model now, better use of already cached data
• If One Page Checkout is disabled and Show checkout steps is activated, then the shipment and payment selection is only shown if a shipment/payment is already selected. So this give back the old VM1 behaviour
• Little fix for shipment/payment tax with different VatTax rules
• Fix for product cache (happened rare)
• Lot small fixed typos, increased robustness, little enhancements

Details

Written by: Max Milbers

Category: Latest News

Published: 04 July 2014

Hits: 63266

VirtueMart 3, Core is ready for testing

We finally can announce that the VirtueMart 3 core is ready as Release Candidate 2.9.8. Now the remaining job is to test the core intensively on joomla 3.3 and to add missing backward compatibility for easy updating. As far we can see all API changes are done.

The primary task is now to test the plugins, adjust them to the new joomla 2.5 style and if necessary add fallbacks or provide developer information for switches in our Code adjustments for Virtuemart 3. This manual will grow, the more developers provide feedback, the faster. The plugins for the customfields must be updated. All extensions working with the customs need to be updated. Except for the plugins for the customfields, the old plugins will almost directly work. The xml files must be updated to j2.5 style. They need some adjustments anyway to run with Joomla 3 like using vRequest (respectivly JInput).

The changes in VirtueMart 3

Our priority for VM3 is to develop a robust core providing a cleaner structure and less code. We reduced the dependencies on joomla, but increased on the other hand the integration. For example, the core now uses only the JFormFields of joomla 2.5 and not any longer the old vmParameter, but we added vRequest (MIT) as choice for JInput. Developers can now use the normal JFormField joomla conventions for all plugins.

You can re-use your layouts by using the new sublayouts (like minilayouts). They give your store a consistent appearance and make it easier to adjust standards for different layouts in one overridable file. The input data is very unified which makes it stable against updates.

The new core has an advanced cart with enhancements to provide better update compatibility. For example the new custom userfields now include an option to be displayed on the checkout page and can use their own overridable mini layouts making it easy to adjust the cart to legal requirements without touching the template. The data stored in the session is minified and therefore the cart now uses normal products, which can be easily modified by plugins (for example to adjust the weight).

The new jQuery versions are now mainly the same as in joomla 3.3 (jQuery v1.11.0,jQuery UI - v1.9.2, legacy complete). Shops using joomla 2.5 with VM3 will also benefit from this. It will prevent needless configuration problems.

Frontend Editing combined with the joomla ACL now allows your vendors to directly access the VirtueMart backend from the frontend, without having real access to the joomla backend. This feature is still under heavily development and we are still looking for funds to complete it. So far vendors can just create new products, edit their products and list their products. It is the first step to make multivendor accessible for normal endusers.

"Additional Shoppergroup" is a new feature for shoppergroups, which do not replace the default groups.

New internal program caches reduce the sql queries for the most used tasks by more than 20%.  

and of course the new customfields. With new options, redesigned and a lot more flexible to use.

Planned

A new trigger system, only for the checkout is started. It needs a new derived function/trigger and cannot be done with the old triggers. It will work with some kind of event system and call the proper plugins directly. We will write this after the first release. Old plugins then just need to be updated with the new trigger to participate in the new system.

Simple ajax reloading of component view. We are very happy that Max Galt, the developer of the cherry picker has donated his javascript code for dynamic reloading of products to the VirtueMart Project

Please download and test 
com_virtuemart.2.9.8a_extract_first.zip

VirtueMart2.9.8_Joomla_2.5.22-Stable-Full_Package.zip

VirtueMart Support Membership

We have successfully introduced a membership for the VirtueMart Project recently. We recognized that VirtueMart users want a safe support address if they find a bug and that a public forum is not adequate for serious business owners. In the past two years the core development team also had to spend too much time to provide customizations to make their living. Providing a really good maintained and professionally tested core takes more and more time and the complexity required to keep it simple for endusers and web agencies is increasing with every version.

• VirtueMart continues with one free version
• Members are customers with access to our ticket system
• The membership helps the core developers to focus on the project and enables us to provide a very high code quality
• Any tier gives a vote for a desired feature to influence the roadmap
• Added value (multi-add layout, display shipment costs for products,...)

There are also some nice ideas to enhance the core. For example multi-image upload, different sizes for images, more different layouts to choose from, angular js (very fast), more multivendor, multi-language tools, enhanced js for the BE, flexible and configurable OPC, ...

We also already invested into the new router of Hannes Papenberg and it will be provided to the VirtueMart Support Members.

Become a VirtueMart Associate Member

There is also already a thread about this in the forum http://forum.virtuemart.net/index.php?topic=124355.0