VirtueMart 3.2.6 - Security Release and overhauled infrastructure

A minor XXS vulnerability was present in versions prior to 3.2.6. It occurred when the features feeds and search were used together. It happened only for feed enabled, so administrators can also close the leak in earlier versions by disabling the feed functions. The URL creation of the feed function used an improper call for JRoute. So urlencoded js was executed. The problem is fixed now by using our getCurrentUrlBy function, which works with a whitelist for variable names and it urlencodes any value.

Changes in VirtueMart version 3.2.6

The plugin vmLoaderPluginUpdate now redirects from the normal Joomla registration to the VirtueMart registration. The reason is that the Joomla registration is always missing the address and other VirtueMart related information. So it should not be used. The plugin provides a parameter to disable it. The normal customfields of type S or M can now use the price modifier as percentage. The shipment plugin now also works with multiple countries. The media manager has a new important function, we can now delete a media physically (not just the entry) and the thumbs are also automatically deleted. Some extra security checks were added.

  • Important patch to prevent memory leak when switching languages.
  • usermodel, extra check if the already loaded user has the right id.
  • Renamed order_done layout to orderdone to be able to create a menu item.
  • New feature customfield of type S and M have now a new parameter, which enables the added price as percentage.
  • Added redirect per system plugin "vmLoaderPluginUpdate" for register and login.
  • Shipment plugin shows now also multiple countries.
  • vmJsApi, fix for correct language of the datepicker.
  • mediahandler has now a deleteAllThumbs of a certain image function (works with regex, may delete accidently too much thumbs which is quite likely unimportant.
  • Vendor model getVendorAddressFields does not work with internal id anylonger.
  • BE category list keeps selected category.
  • Very important fix for multivariants, which lost in some conditions the parent option, when changing to a child.
  • Language dependent caching.
  • install.sql, removed NULLs for product group booleans, like featured, discontinued, ...
  • More security for function getMyOrderDetails.
  • Enhanced search plugin.
  • Removed double // in function displayLogos in vmpsplugin.php.
  • Function changeShopper, address is not pre-filled with userdata of the switching user (in case the address is not provided).
  • Fixed frontend manager link permission in user accountmaintenance.

You can find the full list of changes here: http://forum.virtuemart.net/index.php?topic=138912.0

Changes on the VirtueMart Website

A task force led by Stefan Schumacher finally updated our virtuemart.net site to joomla 3.8. Lately a lot of people also noticed the trouble with our SSL certificate, issued by StartCom. Initially, Google had announced to revoke trust for certificates issued by StartCom after October 21, 2016. Our expensive wildcard certificate was issued before that date, so there was no need for action. Unfortunately Google actually phased out trust also for all older WoSign and StartCom certificates with the release of Chrome 61. If you want to read more details about this, have a look at
https://wiki.mozilla.org/CA:WoSign_Issues.
 
So we decided to use Let'sEncrypt instead, which runs maintenance free only with Certbot installed. This led to the problem that we had to update our main server completely. For this, we received fantastic help by Sören Eberhardt-Biermann, the founder of VirtueMart. All systems are finally updated and running with the latest versions. This means for dev.virtuemart.net that we now operate with the latest redmine version and that our SVN server got updated, too. The mail server system has also been updated, because the old system sometimes had hiccups. Last but not least we also updated to php7.

VirtueMart 3.2.4 released with new payment options

The new version comes with a slightly improved PayPal plugin and a new PayPal product named "PayPal Credit". It allows to finance a purchase with PayPal's partner Comenity Capital Bank.

Furthermore Amazon Pay is now ready for productive use. It makes the cart more efficient by using the same login as for amazon.com which autofills the customer's address into the VirtueMart BillTo and ShipTo address forms.

Also, we worked hard to improve PHP 7 compatibility, exchanged volatile loops and conditions for more robust code and added more error handling code to prevent breaking javascripts. New abstract language helper functions now create the SQL for the language fallbacks, thus reducing bugs and increasing consistent behaviour. The backend now provides more functions for a comfortable workflow, more tooltips, filters, stored states of filters, fixed links and small GUI enhancements. Editing an order now calculates proper results. For example, changing the order status for one item now updates the inventory correctly.

The whole 'Tools' section got cleaned up and a more logical layout. We added a new wizard for setting the safepath, which sets a secure safepath with one click. The old function to change the storeowner got enhanced and now works reliable even when the vmuser entry is missing.
The revenue report now works correctly to the second. There is also a new hidden config to set the mode for the week.

The new joomla core 3.7.4 creates the plugin object while updating, so updating a VirtueMart plugin ends in a fatal error because the VM plugins need the loaded VirtueMart environment. Therefore we added a small system plugin, which ensures that the vm environment is loaded.

New triggers increase the flexibility of VirtueMart. The triggers plgVmBeforeStoreProduct and plgVmAfterStoreProduct in the product model allows automatically set product properties. The triggers plgVmOnUpdateCart (in cart controller) and plgVmOnAddToCart (in cart helper function add) give programmers more control when a user is adding an item to the cart.

The cart also has been enhanced with new features. We now have the intuitive automatic shipment/payment. The old method was to set a shipment/payment automatically, when there was only one choice. Then we added a small javascript, which sets the configured method automatically, when available. This had the disadvantage that only one method could be automatically configured and when it was not available, nothing happened. The new method automatically sets the first method. The item update within the cart now also uses ajax, except for removing a product, because there was no backward compatible solution (we may find one later). The new cart layout does not show an extra 'Save' button for the shipment/payment selection anylonger. Plugins which provide extra data must add the button themself.

Opening the order details now works also with ajax. Ajax for the category browse view currently is too complex considering backward compatibility, but it is of course planned for the future. The new productdetails layout now uses the thumbnail function to display the main image. This sounds a bit strange at first, but at the end it makes the automatic resizing feature also available for the main images. Layout overriders can now also change the used layout for the order list and order detail views per hidden config.

To read the complete change list http://forum.virtuemart.net/index.php?topic=137816.0

Security release Joomla 3.7.1, update your VirtueMart first!

A Joomla 3.7.1 release containing a security fix will be published on Wednesday 17th May, BUT you should update to VirtueMart 3.2.2 BEFORE updating to Joomal 3.7.1. VirtueMart 3.2 addresses significant changes from Joomal 3.6.5 to Joomla 3.7. If you were still running VM 3.0.18.x with Joomla 3.6.5 to avoid update problems, you will now be forced to update to Joomla 3.7.1. Everybody, regardless of the Joomla or VM 3 version used, should update to the latest VirtueMart version 3.2.2 on Joomla 3.7.0 in order to find and solve any compatibility problems prior to the mandatory Joomla 3.7.1 security release.

The new  VirtueMart 3.2.2 is mainly a bugfix release with very few new features. In VirtueMart 3.2.x the backend language behaviour changed. Previously VM always took the shop language for displaying the content in the VM administration views, regardless the selected backend language. Since VM 3.2 it uses the selected backend language. That created some confusion especially with language fallbacks, because managers had no indication whether or not they saw a language fallback. Now country flags are added to display the origin of the language string, when a language fallback is displayed. Some additional language options are now available. The shop language can now be set directly in the VirtueMart configuration. The language issue of the registration emails is fixed. Also we found a fix for the width of the chosen dropdowns.
Other minor features and bug fixes address quick-and-dirty written plugins, outdated relations and adjustments for joomla 3.7.0.

VirtueMart 3.2 - Cached and Optimized

Better display options and improved backend gui

The new handling of the category view and categories is the most interesting feature of the new core. The new options for categories are set globally in the VM configuration and can be finetuned in the category itself and/or in the menu item of the category. The new category view has all old options of the "frontpage" view, so shopowners can now also display grouped products of the category for example featured or topten. The old frontpage view "virtuemart" is now deprecated and won't be developed further, but it will still work for updaters. Additional GUI enhancements in the backend reduce clicks and provide a better overview of the store. Ajax loaded categories and javascript outsourced into libraries do increase the performance when browsing the administration area.

 

Improvements under the hood

The new core got a lot improvements under the hood. The design of the system became more consistent and more and more follows the object caching strategy. This means that we prefer to load a full object, even we just need the name, because it is quite likely that we need the full object a bit later anyway. Also we added program caches for whole functions, not just database searches. Furthermore the new core sets course to Wordpress compatibility. For example the options per category are important for WP, because there are no menu item options similar to the ones used in joomla. The new language system indeed still uses the joomla JLanguage object, but the handling above got separated, so we can better use it in WP. It also has the advantage, that we can load different languages with language overrides for each language correctly in one page call. We need this for example for different email languages. Previously we just reused the old JLanguage object. The system works a bit more performant (not measurable in time, but load) and has less overhead.

Update friendly

We paid a lot attention to updaters. Updated systems are set into the legacy layout mode by default. In case a shop uses a system plugin working with VirtueMart, it may happen that there are problems with a multilanguage shop. In this case ask the plugin developer for an updated version (most 3rd party developers already provide an updated version). For layout changes, we highly recommend to use the new layout options.

Templaters and any 3rd party developer using the VirtueMart config object in the trigger onAfterInitialise, please read here http://forum.virtuemart.net/index.php?topic=136826.msg478498#msg478498

Changelist

Routing:
- load homeid after trying to get the activeMenu
- routing of category and manufacturer ids in category view
- Itemid for product links
- another way in the router to grant that the productmodel is loaded
- Added new function in router.php which takes care of loading ids or slugs with multilang using the vm config vm_lfbs. This function maybe more enhanced and added to VmModel
- sef lang keys must not have the same translation!
- Added previous hidden configuration 'sef_for_cart_links' for SEF links in tab SEF of vm config.

Cache and Optimisations
- Added program cache for currency converter. Maybe moved to database
- cached getVendorId
- enhanced link creation in BE product listing, prepared and cached with static variable
- enhancement for the router and product model getProductParentId uses now usually already loaded and cached data of the getProductSingle function. Also the name of the products are now taken from the cache. Usually products are loaded already anyway.
- the check if vmdebug should be displayed works now with a static in VmConfig and not with a function. The functions is now executed in loadConfig if needed.
- function getParentProductcategory in router.php uses now already cached products if available
- sorting on countries published: fix on hash
- Added "cache" option for language loader

Currency:
- Currency can use now empty Space in format
- increased size of currency fields, so that we can use now html entities

Improvements for convenience:
Common:
- Updated "update xmls" to vm3.0.18
- missing language keys
- removed id tag from dropdowns to ensure that chosen can always generate a unique id
- little fix in calculation, category settings work now also for discounts of rules per bill
- added deep category search for product links by GJC
- bulgarian states added by servlet
- global category settings
a) Added parameters of category view to the vm category itself. This includes also renaming of some parameters in the vmconfig, updater is provided
b) Added more global options to the new category parameters reused old vm config options (partly of the homepage settings) as global options for the new category parameters
c) enhanced the layout for the view global settings in vm config
d) Adjusted also the newsfeed of the category view to work as the homepage feed.
e) added "no override" setting to the category layout/template parameters. All additional category/template/layout Parameters use now an empty string as "default" (no override)

Backend:
- ajax loading of categories in Administration area.
- updated links of help file
- Added config which price should be used, when more than one fits (old selection used always the higher price)
- added vm config option for legacy layouts
- function getLayouts in config model checks for empty directories
- fix for tcpdf font listing, when tcpdf is not installed
- "debug email" which outputs the emails as message instead of sending them.
- fixed coupon search (thank you sandomatyas)
- configuration for the feature to omit already loaded products
- fix for JCE 2.6.0
- fix for editor cf, don't compare JDocumentHTML case sensitive, since Joomla changed it to JDocumentHtml
- added discontinued products
- added stockhandle on product level
- config for stockhandle on product level
- choose between replace, add and remove for product bulk associations
- more failsafe solution in model product.php for getProductShoppersByStatus in case a userfield is deleted
- MV were sortable, but did not show the right order in product edit, fixed
- "gui" fixes for customfield Multivariant. Removed phantom child in case it got deleted and fixed for some workflows a wrongly shown error.
- fixed rounding of customfield property by adding a new option "use rounding"
- added that commas are also replaced for desired final price
- createClone works now with getProductSingle, so that clones are still completely configurable by the parent
- fixed cloning of products in multilanguage shops
- fix in vmtable (for vmusers) function check, new registered users got vendorId of the admin creating the user
- added coupon to revenue (as extra column)
- fixed report for daily filter, should now work also with correct time offset (r9401)
- enhanced order listing, more information, combined some columns
- enhanced order editing, please check the help file for the new possibilities
- hidden fields also in order edit (by Rupostel)
- Shipmentmethod in the order list BE (by Alatak)
- colors for order status for faster BE order list reading (by Alatak)
- fixed BE ordering of shipment and payment methods
- fixed small display error while adding ST address in BE user edit
- also ratings are autopublished (worked already for reviews)
- BE hover title for image search results

Frontend:
- enhanced fallback of meta data in the category view
- added config "show_subcat_products"
- fixed recent products, was missing creating products by returned ids
- added using $this->isPdf to the cart layout to prevent printing of unnecessary forms
- cart sets vendorId=0, when all products are removed an in multivendor mode
- no public error for missing images
- Added total prices (price per item multiplied by quantity)
- related products use now normal price display
- added option for related products to have an add to cart button
- setProductType for related products
- Added product img thumb for Ajax Cart
- removed deprecated layout login.php in user view, is now replaced by sublayout login
- enhanced js toggling the checkout/confirm button
- new Handling of session in function emptyCartFromStorageSession, should throw an logged error in case someone has an unpatched joomla
- added feedback when user registration is forbidden by joomla
- fixed the problem that the registration mail was always sent regardless the joomla configuration
- "Shopper group back to default after order finished." fixed http://forum.virtuemart.net/index.php?topic=136077.0
- fixed "show more revues" button.

Language:
- Better language system, we load different languages now in different JLanguage instances
- moved language functions of VmConfig in own class vmLanguage, moved class vmLanguage in own file
- added new variable $currLangTag, which keeps always the last set language.
- vmLanguge function setLanguage is now private, setLanguageByTag should be used
- check in vmtable if language tag is correctly set, else it calls vmLanguage::initialise()
- added shopFunctionsF::loadOrderLanguages, which loads the language files "shoppers" and "orders" with fallbacks and for the requested extra language
- added parameter for loadConfig, so that it can be used without initialising vmLanguage (important for use in onAfterInitialise event)
- added log message, when language was not correctly loaded.
- added the options for "invoice in user language "
- function renderMail uses now the default backend language for the messages to the vendor
- vendor emails of orders are now sent always with the vendor language with fallback to joomla default language
- fix in router for better BC, loads vmConfig and sets in case the right language, this is need because some plugins load vm before the right language is set by joomla
- fix for order/invoice/mail shopper language, when the shop language has not english as default language (=joomla default site language)
- Fixed language for invoices header and footer, need resetting of vmlang by VmConfig::setdbLanguageTag added user language to order, is also interesting for support
- displayLinkToParent works now with language fallbacks
- Added cloning and creation of childs to product edit view
- Cloning products: Fixed doubled prices of cloned product, happened due reupdating the product after the process
- Cloning products: Fixed missing shoppergroups
- added language fallback for manufacturer
- language fallback for manufacturer for routing
- added fallback for categories in the backend list config model
- fix for category search with multilanguage fallbacks
- fix for default ordering in product listing with multilanguage fallbacks
- fixed ordering for product names in BE list, works also with language fallbacks

Installer/Updater:
- Updating an old vm enables the legacy layout
- added installation language, minors for sample_virtuemart.sql
- added checking for the new order stati, inserted if missing
- fullinstaller has virtuemart sample data already selected
- language depended sample data is loaded, when available (with suffix _fr_fr for example)
- increased max_execution_time and memory_limit in installer and tableupdater
- loaded vm instance of install script is now using the temp install folder
- enhanced sample data (more reasonable)
- changed some default settings of the updater, so that updaters should not notice any difference

Table enhancements:
- Some more fields from char to varchar
- added some keys for faster reading

SQL:
- prevented ambiguous product_mpn
- payment and shipment model missed i. for ordering
- Some sql were broken for multivendor using fallback for fallback language. Abstract function planned
- Replaced all "using" in sql against ON (and that was a lot)
- fixed getParentlink query in product edit
- getCategoryRecurse sql is not executed for child_id = 0 anylonger
- fixed sql getPluginMethods
- fixed sql in model category function getParentsList when language fallback is needed
- fixed sql of shipment and payment model function getPayments and getShipments (kind of typo a missing alias after the "as"
- fixed sql error in customfield.php r9358
- Added some sql table keys id,ordering
- small optimisations of sql for using keys better

Program internal:
- config helper and regarding config model for WP
- renamed stockhandle_discontinued_products to stockhandle_products
- renamed product_remaining_stock to product_discontinued
- replaced VmConfig::setErrorReporting by VmConfig::setErrRepDefault
- Added common function "useSSL", which considers the option in vm and joomla
- exchanged "round" against "roundInternal" in calculation helper http://forum.virtuemart.net/index.php?topic=135622.msg473786#msg473786
- new function getCurrentUrlBy, which creates a link by Request (get,post) by a whitelist of variablenames correct redirect urls for login, etc loading of product images for ajax cart data with parameter now
- model category function getCategory, added check so that an empty category does not try to load medias
- moved function getRecentProductIds from shopfunctionsF.php to the product model
- Added new Function vmConfig::getMemoryLimitBytes, which returns the set memory_limit with Bytes
- Found the error "scalar", happened when a boolean is cast to object r9374
- VirtuemartModelConfig function getLayouts, added param to disable the empty option
- replaced more json_encode against vmJsApi::safe_json_encode
- Each language uses now its own JLanguage object, makes it a lot easier to render different languages
- Replaced VmConfig::loadJLang against vmLanguage::loadJLang('com_virtuemart');
- htmlentities does not use ini_get("default_charset") anylonger, is set to UTF-8
- new function in vmtable checkTableExists
- vmpsplugin uses now checkTableExists
- email function renderMail got seperated in different functions and cleaned up
- removed nasty bug for 3rd party developes which prevented the update of order items using the function updateStatusForOneOrder (r9400)
- vmTrace can now log and render the message (before log or render)
- function getTCPDFFontsList, replaced function glob against RecursiveDirectoryIterator
- added new field vmlisttable, handy to display item lists of models (maintable)
- added vRequest::setVar('doVendor', $this->doVendor); to function renderMailLayout of the invoice, used by sublayouts in the mail
- enhanced function getPluginMethods in vmpsplugin.php
- Added new getCache function, replaced all JFactory::getCache against VmConfig::getCache
- parameters of customfields not set in the product edit do not set a default value anylonger, so the value of the customprototype is used
- userfields are now escaped with htmlspecialchar and not htmlentities anylonger
- Added missing state="0" for sqls using the joomla extension table. This is important, when someone uninstalled and reinstalled a plugin.
- function declarePluginParams is only checking by name, not extension_id anylonger and removed the & in the foreach for better compatibility
- updated vmUserfieldPlugin so that its params work similar as the other vmtable params. Is now also php7 compatible.
- changed function renderCustomfieldsCart so, that it can display extra data by product and user input data
- Added vmdebug as echo to add to cart popup
- added clone $product for the triggers plgVmOnProductDisplayShipment and plgVmOnProductDisplayPayment to prevent that the trigger changes accidently the selected variant of the product


Javascript:
- Added ajax to browse view for multi variants and generic child variants
- enhanced ajax for reloading children. The view productdetails must have now the class product-container to work properly with ajax
- replaced "all" jQuery calls against $, if within jQuery environment to prevent problems with safari
- changed reserver time of "keepAlive" script. The delivery time of the page must be considered.
- javascript added boolean setBrowserState to prevent optionally the setting of browser state by ajax
- removed avfind.js is now added to cvfind.js
- cvfind js, additionally checks to prevent endless "while loops"
- switch for loading JHtml::_('behavior.formvalidation'); in vmsjapi and replaced in any files by vmValidator
- moved js script of mediahandler in own file
- gathered all media edit scripts to one script "mediahandler.js"
- gathered product scripts to product.js
- removed a lot scripts (for products and media) from the vm2admin.js, added "sortable" and "hide price"
- js for add to cart does not check anylonger for the dom type, so it can be used with spans also
- vmprices.js setproducttype checks now for the classes product-container, productdetails, vm-product-details-container
- Added product img thumb for Ajax Cart
- enhanced language switcher js and new lib for the admin menu
- BE view orders list und order edit js enhanced

Typos:
- typo in config.php created empty language db suffix
- typo in order model $orderDetails['details'] must be $order['details']

Layouts:
- removed asynchron loading of MV script, created random errors on some browsers
- facebox, disabled asynchronous and defer loading
- added missing class for ajax to the product module layout "single"
- Fixed HTML validation issue of cartpos[] input, moved in td. tr elements can accept only td and th elements as childs.
- Fixed invalid br tag. (r9300)
- view/category/tmpl/default.php changed if($this->showproducts) against if (!empty($this->products)) the option is considered while loading the products and dont need to be checked there
- adjusted product_horizon to work with variant ajax reload
- wrote fallback for ajax for old layouts
- changed the 0 product group (normal products in the browse view) to "products"
- update by Stefan Schumacher for the 3 price lists (cart, invoice, orders) removed old tags against inline style (yeh, class comes later)
- changed a bit css so that add to cart button can be shown as span

Payments/Shipments:
- Fix for paybox IP problem http://forum.virtuemart.net/index.php?topic=135600.0
- little fix for paypal express, removed the possibility to select it as option to prevent errors with ajax
- fixed selection of paypal (removing of paypal express from the select list, removed it completely) r9384
- paypal has now optional conditional shipments
- small fix in Amazon Pay orderreferencenotification.php
- Amazon Pay removed VMPAYMENT_AMAZON_PAYMENT_NOT_AVAILABLE message, when the method cannot be selected
- Heidelpay adjustments for php 7 and some minors
- little fix for authorize.net
- Standard shipment plugin: Fixed a small issue, that deactivation of "show on productdetail" was not correctly loaded in the settings
- small fix in weight_countries.php, which prevented a checkout when there was no method for weight_countries.php configured and another shipment plugin used
- check in weight_countries.php, which prevents that the wrong shipment is autoselected (r9418)
- Avatax added check for soap

Security:
- rewritten getMyOrderDetails, works now whitelisted
- security enhancement for model userfields by Stan Scholtz (Rupostel)
- userfields security enhancement by Rupostel double encoded html entities, param changed
- added hashing of vmver (js and css)
- Added extra check for isFEmanager if user is actually logged in.

Joomla Security Release 3.6.5 and Patch for joomla 2.5.28

There is a security problem in the JUser model. Please update as soon as possible.
https://www.joomla.org/announcements/release-news/5693-joomla-3-6-5-released.html

Joomla 2.5.x is not anylonger supported by the Joomla project, but we know that a lot people still use joomla 2.5. with VirtueMart. As promised, we provide a fix http://dev.virtuemart.net/attachments/download/1036/Joomla2.5.28-20161214PATCH.zip (Direct link).

This patch is just the one for j2.5.28 of last year extended by the new files. Update your joomal 2.5.x at least to the last version j2.5.28.

It is normal that an unpatched j2.5.28 logs you out. The patch should be still applied.