A bit earlier than expected, we have to release vm3.0.4 to close a vulnerability in the core. This is a real vulnerability, no exploit. The problem is a wrong error report setting, which can reveal the used server path for the real attack.

More and more people use php5.4 or php5.5, which has another default error handling and so they sometimes displayed Strict Errors (revealing the path). To prevent this, we added a function to disable the "Strict Standards" reporting for the "default" and "none" setting in Joomla. Unluckily, we left for a special debugging case the setting on enabled. So regardless the used configuration setting, you always got at least the "Simple" setting. Luckily it is not so easy to create warnings and errors in VirtueMart 3.

In case you don't want to update, here is the manual fix:

  1. open the file config.php at /administrator/components/com_virtuemart/helpers/config.php.
  2. Go to line 583 and replace
    ini_set('display_errors', '1');
    with
    ini_set('display_errors', '0');

Or just download the new version.

The layout changes of the new version are just one important one for people who override the sublayout prices. The sublayout prices.php had a <div class="clear"></div> at the end, which got removed to increase the flexibility of the sublayout.

The new version contains a new sample product, the "child variant", which allows you to use up to 5 dropdowns to determine the product variant. It is similar to the stockable plugin, but allows also changing the variant data of any child directly from the parent. The handling of the feature is not perfect yet, but a good start. Feel free to share your ideas on our forum.

New features and bug fixes:

  • cleaning of the code
  • increased robustness
  • increased consistency
  • more j3 compatibility (minors)
  • added js to fire automatically the checkout (without redirect) to show directly confirm
  • link to manufacturer on the productdetail page calls the manufacturer, not any longer the product list of the manufacturer
  • the rss feed in the controlpanel is now loaded by ajax, to prevent that the controlpanel isn't loaded if rss has problems
  • custom media, related products and categories with image size parameter
  • added var to vmview "writeJs", for example to prevent writing of js in pdfs
  • added hash for categoryListTree
  • changed calculator so, that default userfield parameters are better directly set if instantiated. Less problems with tax by country for guests
  • fixed in vmplugin.php the function declarePluginParams
  • fixed trigger plgVmDeclarePluginParamsUserfieldVM3

and some more.