• Security Release VirtueMart 3.8.6 Closing an XSS Vulnerability

    A new XSS was found by 4N_CURZE (https://www.openbugbounty.org/researchers/4N_CURZE/). It took a while to reproduce it, because it was caused by the manufactuer dropdown, which is not always activated. The problem itself was easy to fix, although the value was whitelisted everywhere else, it was missing for the manufacturer drop-down list. Since the previous release some features got added. The long desired multicart system got implemented. Multicart means for a multi-vendor shop, that there is...

    Read More ...


# Itemid issue: the shop was also fetching restricted menu items and used their Itemid, which resulted in "You're not allowed to view this resource..." (ps_session.php)
# added missing Itemid parameter in the product file list (ps_product_files.php) and the PDF-button link (virtuemart.php)
# Task #724 - Coupon discount becomes 0.00 when adding a new item (basket.php)

05-05-2006 soeren
^ Updated the UPS and USPS shipping modules with the versions contributed by koltz & deneb
# Task #738 — shop.pdf_output.php creates a loop when /usr/bin/htmldoc is available (shop.pdf_output.php)

! DATABASE STRUCTURE CHANGED!
^ The length of some DECIMAL fields is not enough
#############################
    # Allow Shopper group discounts up to 100.00%
    ALTER TABLE `jos_vm_shopper_group` CHANGE `shopper_group_discount` `shopper_group_discount` DECIMAL( 5, 2 ) NOT NULL DEFAULT '0.00';
    # Allow bigger discounts than 999.99
    ALTER TABLE `jos_vm_product_discount` CHANGE `amount` `amount` DECIMAL( 12, 2 ) NOT NULL DEFAULT '0.00';
    # Allow prices up to 9 999 999 999.99
    ALTER TABLE `jos_vm_product_price` CHANGE `product_price` `product_price` DECIMAL( 12, 5 ) NULL DEFAULT NULL ;
    # Adjust order item price
    ALTER TABLE `jos_vm_order_item` CHANGE `product_item_price` `product_item_price` DECIMAL( 15, 5 ) NULL DEFAULT NULL ;
    # Adjust order item final price
    ALTER TABLE `jos_vm_order_item` CHANGE `product_final_price` `product_final_price` DECIMAL( 12, 2 ) NOT NULL DEFAULT '0.00';
    # Adjust order total, allowing totals up to 9 999 999 999 999.99
    ALTER TABLE `jos_vm_orders` CHANGE `order_total` `order_total` DECIMAL( 15, 5 ) NULL DEFAULT NULL ;
    ALTER TABLE `jos_vm_orders` CHANGE `order_subtotal` `order_subtotal` DECIMAL( 15, 5 ) NULL DEFAULT NULL ;
    
    # Allow larger coupon amounts
    ALTER TABLE `jos_vm_orders` CHANGE `coupon_discount` `coupon_discount` DECIMAL( 12, 2 ) NOT NULL DEFAULT '0.00';
    ALTER TABLE `jos_vm_coupons` CHANGE `coupon_value` `coupon_value` DECIMAL( 12, 2 ) NOT NULL DEFAULT '0.00';
   
    # Allow larger payment discounts
    ALTER TABLE `jos_vm_orders` CHANGE `order_discount` `order_discount` DECIMAL( 12, 2 ) NOT NULL DEFAULT '0.00';
    ALTER TABLE `jos_vm_payment_method` CHANGE `payment_method_discount` `payment_method_discount` DECIMAL( 12, 2 ) NULL DEFAULT NULL ;
#############################
   

02-05-2006 soeren

# could not update or delete in/from cart for products with single quotes in their attribute name/value (ps_cart.php)

27-04-2006 soeren
# Task #729 - additional address links in admin (admin.user_form.php)
# Task #733 - Discount causes error message in Order Details page (account.order_details.php
# Task #73 - Order Confirm E-Mail - Plain text & html text of Message differ (ps_checkout.php)
# fixed mis-aligned icons on administraton start page (ps_html.php)
# product type list & form missing an object (product.product_type_list/_form.php)

23-04-2006 soeren

+ Now it is possible to easily inform your customers about their order cancellation right
    and your returns policy (as required by law in most european countries!)
    => added 3 new configuration parameters (affected files: ps_config.php, admin.show_cfg.php, checkout.index.php, language files)
    ! Update your configuration when updating from an earlier version
# hiding attribute price modifiers when the user has no permission to view prices (ps_product_attribute.php)

20-04-2006 soeren
# Task #722 - Undefined index: coupon_discount in ps_checkout.php
# Task #721 - Trying to get property of non-object in shop.debug.php
# Task #720 - Undefined $VM_LANG in ps_config.php
# Task #719 - User list and user registration not compatible with UserExtended Component (ps_perm.php, admin.user_list.php)
# Task #715 - List Prices not showing since upgrade to 1.0.4 (ps_product.php, function show_prices)
# Task #560 - Clone Product with Child Products (added "SHOW" as result-returning-case ps_database.php)
# Task #675 - No permissions to view products after search (virtuemart.searchbot.php)
# Task #698 - Lost password link uses relative link instead of absolute (mod_virtuemart.php)
# Task #707 - Payment method at the end of the checkout is not shown (ps_checkout.php)
# Task #703 - Continue Shopping appears after modifying order details in shopping cart
^ registered users (logged in) who are NOT registered as a customer (no billing address and
    no shopper group) now get the "default" shopper group id when browsing the shop. (ps_perm.php)
   
18-04-2006

# Task #705 - Product Type Pagelinks are not working due to wrong $num_rows
# Task #706 - Session Problems in Mambo 4.5.3h (closing opened sessions when session.auto_start=1, ps_session.php)
# search for the correct flypage lead to endless loop (ps_product.php)

09-04-2006

# Task #686 - VirtueMart and Mambo 4.6.0 (admin.user_form.php. virtuemart_parser.php)
# Task #646 - Search according to Parameters incorrect query
# Task #642 - Set Locale Error (virtuemart_parser.php)
 
02-04-2006 soeren

# Task #632 - get_flypage doesn't take into consideration parent products (ps_product.php)
# Task #631 - Customer Unable to Remove Data from Bill To / Ship To Fields (ps_shopper.php)
# Task #629 - PayFlow Pro does not handle 4 digit expiration dates gracefully
# Task #511 - Discount % percentage is ignored by cart (ps_product.php)
# Page redirection on error from Ship-To address from fixed, thanks TJ! (account.shipto.php)

30-03-2006 soeren

^ integrated the changes to the authorize.net class by Daniel Wagner (http://virtuemart.net/index.php?option=com_flyspray&do=details&id=634&Itemid=83)
# wrong object names in PayPal notify.php script lead to a fatal error
# Task #656 - "Remember Me" must be enabled to checkout, checkout_registration_form.php
# tooltip function: added charset parameter to encode UTF-8 strings too, htmlTools.class.php
+ introduced a new function called "vmGetCharset" to return the current charset from the _ISO setting (UTF-8 by default), ps_main.php

28-03-2006 soeren
# query error in ps_affiliate.php
# fixed reviews listing ("More..." - link when more than 5 reviews exist for a product) in the frontend (ps_reviews.php)
# fixed page navigation on product review list in adminsitration (product.review_list.php)
+ customer name on order list (thanks to deneb!), (order.order_list.php)
# Fixed PayPal notify.php script:
    - wrong field name (` order_currency` instead of `order_currency`)
    - checking received currency and amount against database
# parameter search query missing a `

27-03-2006 soeren

# version.php causing fatal error regarding "class vmVersion previously declared..."
# Prices visible to all users, although restricted
# Admin Menu not visible with chinese language file (htmlentities missing third (=Charset) parameter)
# CSV Export doesn't export parent product SKU (parent-child relationship gets lost)
# fixed a small typo in the product scroller module

---- VirtueMart 1.0.4 released ----

Testimonial

I just wanted to let you know how impressed I am with Virtuemart now. I had toyed around with Virtuemart earlier in 2008 and it is amazing at the difference between there and now. You people are doing great work!

We use cookies on our website. Some of them are essential for the operation of the site, while others help us to improve this site and the user experience (tracking cookies). You can decide for yourself whether you want to allow cookies or not. Please note that if you reject them, you may not be able to use all the functionalities of the site.