Security release of vm2.6.10 and vm2.9.9b

Posted in Latest News

If you are using a version lower than 2.6.10, you should update right away.

During a routine audit done by the Sucuri firm, they found a critical vulnerability and informed the VirtueMart team.
The bug was immediately patched (in record time) and the version 2.6.10 (stable version) and 2.9.9b (in RC state) fixes this issue.

If you cannot update VirtueMart, please follow those instructions.

Our Security policy

There were recently some misconceptions about our security policy. Some people complain that we are not following the "Full Disclosure" philosophy (please read Full disclosure (computer security) ). The "Full Disclosure" comes from the beginning of the open source movement and is also to see as an answer to the "non-disclosure" behavior of proprietary software vendors. The experience was that sent vulnerabilities were not fixed. So the people learnt that revealing the vulnerability in public lead to a fast reaction of the blamed company. The evil guys of this business just started to blackmail companies.
There are of course also some other advantages. In case of Linux kernels, the idea is that all together work on a fix for it. The leaks are often a lot complexer and so the more people know about the faster it is fixed. Furthermore anyone should be able to learn from the leak to prevent the issue in future.

In our case, the most security leaks are fixed within minutes, maybe within 1-2 hours. So the argument, the more people the faster a fix is ready is not suitable for joomla/extensions. So we are following the philosophy of the "responsible disclosure" (please read Responsible disclosure ). Also is following this idea. They are professionals and know how to handle a vulnerability for the best of all users. They informed us secretly about the problem. We fixed it within a day, they tested our fix and asked if it is the right time to inform their customers. We did the most important thing, to provide a fix, only missing was the "responsible disclosure". So I agreed, but misunderstood them, because I did not meant that they disclosure the vulnerability in detail. A correct disclosure in our environment (php, opensource) must also always contain an explanation to fix the issue manually. The other reason is that the problem is actually in the joomla user "model" , and it should be also fixed in the JUser to prevent misuse of it before we should do the "Full disclosure". Persuading the joomla developers to protect their model got complexer than thought. Their argument is that there is no problem as long as you are using the Joomla Form. We got just stuck and must now prepare an explanation, why it is always bad to allow any form to override internal variables of an object.

How to get the security fix without updating VirtueMart

If you cannot update VirtueMart, there are two possibilites:

Exchange the file models/user.php

The easiest way is just to exchange the user model with the new one:

  1. Dowload the latest version (VirtueMart 2.6.10 or VirtueMart 2.9.9b)
  2. Replace the file /administrator/components/com_virtuemart/models/user.php with the new one.

The user model is almost untouched for a year, so you should first try just to exchange the model.

Patch the user.php file

If you think your user model is too heavily modified, it is enough to add a unset($data['isRoot']); to the top of the user store function:

  1. Go to /administrator/components/com_virtuemart/models/user.php
  2. Search for the function named function store(&$data,$checkToken = TRUE)
  3. Replace if (!$user->bind($data)) { with
    	$whiteDataToBind = array();
    	$whiteDataToBind['name'] = $data['name'];
    	$whiteDataToBind['username'] = $data['username'];
    	$whiteDataToBind['email'] = $data['email'];
    	if(isset($data['password'])) $whiteDataToBind['password'] = $data['password'];
    	if(isset($data['password2'])) $whiteDataToBind['password2'] = $data['password2'];
    	} else {
    		$whiteDataToBind = $data;
    // Bind Joomla userdata
    if (!$user->bind($whiteDataToBind)) {

We just creating a new array and setting any variable manually (white list).

The real problem behind all this

The JUser model bind function just loops through the properties of the class and sets data with the same name to the object. The filtering is done by an attached JForm (Gui elements) to filter the input of the data. So if developers use the joomla model without form, they have to filter the data themself, else it is possible to override internal variables of the object.
The binding for normal JTables does not override internal variables as long you follow the habit/convention to name them with a trailing underscore _. The check function additionally ensures that the data is correct. But the juser object does not follow the own joomla habits. Additionally it is very unclean to use MVC and to have a model, which needs GUI elements to do correct filtering. There exists enough tasks to use a model without any GUI. For a developer just using the joomla API it is like a trap. A model should be secure by itself, without the need of a "View" or "Controller" to be safe. SCNR, but joomla 2.5.16 fixed a security leak in some the JFormFields. So other solutions based on that were also very unsecure for years.

The suggested fix in the joomla user model is very easy. Just unset the sensitive data, if a user is not admin. This should be done in the bind function and in the store function. The advantage lays on the hand.
A lot other extensions for joomla become more secure. It is very unlikely that only VM has this problem.
People can do a small joomla update and still use their modified extensions.

Personally I see the request for full disclosure as a typical academic, but noobish request. Not only the good guys learn from disclosures. The black hat fraction also learns from it. It is important to differ and sometimes a full disclosure makes absolut sense, but not always. It depends on the complexity of the problem, how many people already know about, the reaction of the maintainers, and so on.


VirtueMart 2.6.8 includes Realex

Posted in Latest News

We are pleased to announce that Realex is now available through VirtueMart’s ecommerce solution.

VirtueMart 2.6.8 includes Realex

Sign Up today

and receive 1 month free processing!

Use the Realex Payments integration as part of your VirtueMart e-commerce solution and benefit from a seamless, no-hassle integration offering industry-leading features and support.

Why Choose Realex?

Realex Payments is a leading European payment services provider, with offices in Dublin, London and Paris. We currently process in excess of €24 billion annually for over 12,500 clients including Virgin Atlantic,, Vodafone, Paddy Power and BooHoo.

Some of the key reasons merchants choose us over other gateways:

  • 3DSecure - Protect yourself against fraud and chargebacks. We fully support 3DSecure, which provides additional protection should a chargeback occur.
  • Access your funds quickly - The Acquiring Banks we work with typically settle funds into your account within 2 days, unlike 7 days for some of our competitors.
  • Pricing - As you scale your business, other payment processors can very quickly become expensive. We offer a flat per transaction rate that can be tailored to your business as you grow.
  • Customer Service - We don’t believe in IVRs, simply pick up the phone and speak with a familiar voice

Realex Features

"Realex Payments are delighted to have partnered with the VirtueMart core team to build a simple to use and feature-rich integration."

Features include:

  • Processing for all card payment types
  • Major alternative payment methods (PayPal, Sofort, GiroPay, ELV, iDeal)
  • Transactions processing in 150 currencies
  • Fully PCI level 1-compliant, responsive and customisable hosted payment page
  • 1-Click checkout for a seamless checkout experience
  • Secure Card Tokenisation for recurring payments - RealVault
  • Dynamic Currency Conversion to allow shoppers to pay in their currency
  • Fraud checks: CVN, 3DSecure (incl. Amex SafeKey) and AVS
  • Comprehensive suite of fraud management tools - RealScore
  • Delayed/Deferred Settlement
  • Comprehensive Order Management (refund, void, settle) from the VirtueMart back-office
  • Plug and play access to our APIs
  • Comprehensive, configurable and flexible transaction routing capability

To Find Out More

For more information please contact us on This email address is being protected from spambots. You need JavaScript enabled to view it. or Sign up with Realex Payments today to get one month free processing and join the hundreds of VirtueMart merchants who know and trust us to process thousands of orders per week.

Updates and bug fixes VirtueMart 2.6.8

  • Preventing double orders (3rd party developers may adjust their payments)
  • Shipment price display in product details
  • Better Itemid handling in the router
  • Thumbnail resizing if one dimension is 0 (same as already for vm3)
  • Router is using category model now, better use of already cached data
  • If One Page Checkout is disabled and Show checkout steps is activated, then the shipment and payment selection is only shown if a shipment/payment is already selected. So this give back the old VM1 behaviour
  • Little fix for shipment/payment tax with different VatTax rules
  • Fix for product cache (happened rare)
  • Lot small fixed typos, increased robustness, little enhancements


Updates about VirtueMart 3, Support Membership

Posted in Latest News

VirtueMart 3, Core is ready for testing

We finally can announce that the VirtueMart 3 core is ready as Release Candidate 2.9.8. Now the remaining job is to test the core intensively on joomla 3.3 and to add missing backward compatibility for easy updating. As far we can see all API changes are done.

The primary task is now to test the plugins, adjust them to the new joomla 2.5 style and if necessary add fallbacks or provide developer information for switches in our Code adjustments for Virtuemart 3. This manual will grow, the more developers provide feedback, the faster. The plugins for the customfields must be updated. All extensions working with the customs need to be updated. Except for the plugins for the customfields, the old plugins will almost directly work. The xml files must be updated to j2.5 style. They need some adjustments anyway to run with Joomla 3 like using vRequest (respectivly JInput).

The changes in VirtueMart 3

Our priority for VM3 is to develop a robust core providing a cleaner structure and less code. We reduced the dependencies on joomla, but increased on the other hand the integration. For example, the core now uses only the JFormFields of joomla 2.5 and not any longer the old vmParameter, but we added vRequest (MIT) as choice for JInput. Developers can now use the normal JFormField joomla conventions for all plugins.

You can re-use your layouts by using the new sublayouts (like minilayouts). They give your store a consistent appearance and make it easier to adjust standards for different layouts in one overridable file. The input data is very unified which makes it stable against updates.

The new core has an advanced cart with enhancements to provide better update compatibility. For example the new custom userfields now include an option to be displayed on the checkout page and can use their own overridable mini layouts making it easy to adjust the cart to legal requirements without touching the template. The data stored in the session is minified and therefore the cart now uses normal products, which can be easily modified by plugins (for example to adjust the weight).

The new jQuery versions are now mainly the same as in joomla 3.3 (jQuery v1.11.0,jQuery UI - v1.9.2, legacy complete). Shops using joomla 2.5 with VM3 will also benefit from this. It will prevent needless configuration problems.

Frontend Editing combined with the joomla ACL now allows your vendors to directly access the VirtueMart backend from the frontend, without having real access to the joomla backend. This feature is still under heavily development and we are still looking for funds to complete it. So far vendors can just create new products, edit their products and list their products. It is the first step to make multivendor accessible for normal endusers.

"Additional Shoppergroup" is a new feature for shoppergroups, which do not replace the default groups.

New internal program caches reduce the sql queries for the most used tasks by more than 20%.  

and of course the new customfields. With new options, redesigned and a lot more flexible to use.


A new trigger system, only for the checkout is started. It needs a new derived function/trigger and cannot be done with the old triggers. It will work with some kind of event system and call the proper plugins directly. We will write this after the first release. Old plugins then just need to be updated with the new trigger to participate in the new system.

Simple ajax reloading of component view. We are very happy that Max Galt, the developer of the cherry picker has donated his javascript code for dynamic reloading of products to the VirtueMart Project

Please download and test

VirtueMart Support Membership

We have successfully introduced a membership for the VirtueMart Project recently. We recognized that VirtueMart users want a safe support address if they find a bug and that a public forum is not adequate for serious business owners. In the past two years the core development team also had to spend too much time to provide customizations to make their living. Providing a really good maintained and professionally tested core takes more and more time and the complexity required to keep it simple for endusers and web agencies is increasing with every version.

  • VirtueMart continues with one free version
  • Members are customers with access to our ticket system
  • The membership helps the core developers to focus on the project and enables us to provide a very high code quality
  • Any tier gives a vote for a desired feature to influence the roadmap
  • Added value (multi-add layout, display shipment costs for products,...)

There are also some nice ideas to enhance the core. For example multi-image upload, different sizes for images, more different layouts to choose from, angular js (very fast), more multivendor, multi-language tools, enhanced js for the BE, flexible and configurable OPC, ...

We also already invested into the new router of Hannes Papenberg and it will be provided to the VirtueMart Support Members.

Become a VirtueMart Associate Member

There is also already a thread about this in the forum

VirtueMart 2.6.6 includes Paybox

Posted in Latest News

We are pleased to announce that Paybox is now available through VirtueMart’s ecommerce solution.


PAYBOX, the secured payment platform of Point-VeriFone Group, offers a range of solutions and services to the e-merchants to manage their settlements, and this for all the sales channel.

Paybox currently processes payment flows for over 27,000 merchants and 120 million transactions per year.
Paybox operates a payment service in conjunction with various actors in the e-commerce industry.


Paybox has been supporting online retailers in their day-to-day business for over 15 years, and offers a secure, flexible and turnkey payment solution that meets all your requirements thanks to its unique platform -  cross-channel, multiple payment methods, multi-services, multi-bank, multi-currency - and its fraud management and reporting tools.

A wide range of technical environments enables Paybox to adapt its solutions to all types of project, from the most simple to the most complex whatever the size of your business, your sales channels or your business sector.

Paybox is certified and recognized by all banks (PCI/DSS 2.0 operator, 3-D Secure activated with all banks).


The Paybox platform accepts 52 currencies, allowing you to cash your transactions anywhere in the world, either via your distance sale contract or via your connection contract with buyers and international payment methods.

Updates and Bug Fixes

  • fix preventing creation of doubled orders
  • use for token check in updatesmigration.php the new vmCheckToken of vRequest
  • update of heidelpay payment plugin
  • fixed creation of slugs for "adding a child"
  • fixes while updating the tables for the Joomla updater

New Release VirtueMart 2.6.4

Posted in Latest News

VirtueMart release pure bugfix release VM2.6.4

This is a pure bug release. The liveupdater did not work, so we replaced it by the joomla updater. We also checked the language loaders which should work now more robust. The cache returns the JTable object again. 

List of bugfixes:

  • Important Fix for vmtable. Cache gave back a standard object with the data. But before it was a JObject. The data is stored as standard object and bind to the table which is returned.
  • Reworked loading of language files in email and invoice
  • Correct language loader for plugins added
  • Small fix for loadJLang (reset of tested path)
  • Loading Be language, changed to FE language
  • Added replyto the shopper in vendor email
  • Akeeba liveupdater removed
  • xml for joomla updater added

We use cookies on our website. Some of them are essential for the operation of the site, while others help us to improve this site and the user experience (tracking cookies). You can decide for yourself whether you want to allow cookies or not. Please note that if you reject them, you may not be able to use all the functionalities of the site.