No announcement yet.

Miva Merchant Production Release 7 (aka Wombat) Is Released - Part 1

  • Filter
  • Time
  • Show
Clear All
new posts

    Miva Merchant Production Release 7 (aka Wombat) Is Released - Part 1



    479: Second Address line at checkout
    1220: Runtime >> Create Affiliate Account >> After an account is created, refreshing causes duplicate records
    1912: State based sales tax not rounding correctly
    4733: PayPal Pro express not sending order details
    4775: Displayed numeric values not rounded (WAS: ups: Handling charge is not rounded properly)
    4893: If Merchant5/sNN directory does not exist, components silently fail to update
    4903: Tables that no longer exist are still deleted
    4920: Launchpad buttons not assigned to a store causes a runtime error
    4927: prodimpt: "Delete Existing Data When Imported Data Is Empty" deletes all custom field values
    4929: Amazon Simple Pay - quotes in store name cause invalid signature
    4931: Chase PaymentTech needs to be updated to include general changes we've made to all payment modules
    4936: No validation of affiliate code when inserting/updating at runtime
    4937: No page heading for 'Add an Affiliate' in admin
    4942: Need to update PayFlow Pro XMLPayRequest URL.
    4952: Sitemap component not being exported correctly when saving a framework
    4953: Frameworks not implementing their contained category_tree component correctly
    4954: Google Checkout needs control over the Default Shipping Method
    4956: Miva_ValidateFileUpload returns 0 if OpenDataFiles fails
    4961: Module feature changes are not propagated to stores on update
    4967: Sitemap item is not exporting it's template when saving a framework
    4971: External CSS files are not parsed for images when exporting a framework
    4976: Chase only allows 30 characters in address field
    4977: Searching "Invoice Date" searches UNIX timestamp
    4988: Product export is extremely slow on MivaSQL
    4992: It's possible to create a circular category hierarchy in the admin
    4998: when importing products you can add products to categories even if you shoose to Keep Existing Products
    4999: Product Export does not have any way to specify a delimiter
    5001: Attribute template options copied to to a product cannot be sorted
    5003: USPS trademark symbol should be changed from an ascii char to an entity
    5004: It is possible to create an Affiliate account with no password at runtime.
    5005: When custeml module is set to inactive, you cannot create a new store.
    5008: There is no way to provision domain countries
    5011: countries removed from Domain Settings -> Countries still show up during checkout
    5056: PCHDFT item does not remove records when the product is deleted from the Batch Edit.
    5057: PCHDFT item does not remove records when the category is deleted from the Batch Edit.
    5059: EuroVAT Product Price Includes VAT option shouldnt calculate tax for other Basket Charges
    5065: Buysafe bonding charges are being charged tax, but they should not be
    5070: Flat File Customer Export has an inconsistent header field name.
    5071: Flat File Product Export module doesnt have an option to specify the delimiter
    5072: Import/Export Product/Category need to also support Headers & Footers
    5086: Frameworks don't overwrite existing css files
    5103: Category import does not allow deletion of custom field data
    5104: Import Customers from Flat File does not handle custom customer fields
    5111: Force secure admin login when a secure URL is configured
    5126: Edit_Store variable can be used to create a store.
    5127: XSS: Add/Edit Module, Module_Module unencoded
    5128: XSS: Domain/LaunchPad, LaunchPadButton[n]:label/:sublabel
    5129: XSS: JavaScriptEncode does not prevent against HTML comment-based attacks
    5131: Domain: LaunchPad tab: Hidden error messages
    5133: Upsell Batch Edit: SQL Injection on Upsell_Search
    5134: Category Batch Edit Screen: XSS On Custom_Fields[n]:values
    5135: Category Batch Edit Screen: XSS on Category_Search
    5136: Groups has an XSS vulnerability on privilege/name fields.
    5140: Edit Page: XSS on Page_Code
    5141: Product Batch Edit Screen: XSS On Custom Fields variables
    5142: Product Batch Edit Screen: XSS on Product_Search
    5143: Customer Batch Edit: XSS on Custom_Fields[]:xxx
    5144: Product Export: XSS on Product_Check_CustomFields[n]:name
    5145: Customer Export: XSS on Customer_Check_CustomFields[n]:name
    5146: Category Export: XSS on Category_Check_CustomFields[n]:name
    5147: Custom Fields Module: Category tab outputs custom field name unencoded
    5148: cmp-mv-prodctgy-meta: XSS on category component tab
    5151: We need to make Runtime Login error reporting more ambiguous.
    5157: USPS runtime error with zip+4 for Puerto Rico
    5158: Module Batch Edit Screen: XSS on Module Feature List
    5159: Edit Category >> Custom Fields >> XSS on CFM_Fields[n]:name
    5160: Domain >> SEO Settings Tab >> XSS on SEO_Settings:cat_lit
    5161: Customers >> Edit Customer >> Custom Fields Tab >> XSS on CFM_Fields
    5162: SQL Injection in Google Checkout
    5163: Google Checkout has some XSS vulnerabilities.
    5164: Legacy Printer Friendly Order Screen: XSS on Edit_Store
    5165: Upgrade Wizard: XSS on Upgrade_Message.
    5166: License Manager URL for update.mvc goes to
    5167: Domain >> Launchpad tab loads the module list inefficiently.
    5168: Store Modules Screen: Infinite loop when g.Module_Count is not an integer
    5171: Admin > SEO Settings > URL Delimiter field does not validate it's input
    5173: CSSUI Buttons: XSS on store tab
    5175: cmp-mv-meta: Cross Site Scripting
    5176: Runtime > Edit Affiliate > Payment Date is not formatted.
    5180: Utilities >> Google Checkout Orders >> The Layout appears broken.
    5182: Denial of service attack through Product_Attribute_Count
    5183: Denial of service attack through Upsell_Product_Count
    5184: Runtime >> Affiliate Links is overwriting g.Affiliate
    5185: ItemModified is not cleared on Reset/Update/Delete
    5186: Upsell Settings: Validation error when products to show is "Unlimited"
    5187: malf: Multiple upsold products are not logged
    5193: customfields: No provisioning for category custom fields
    5198: Provisoning: UI Module validation errors when creating multiple stores in the same provisioning file
    5204: authnet orders do no show credit card type.
    5208: PayPalPro Payment Settings Tab hides Product_Offset twice
    5209: PayPalPro Product_Search is unencoded.
    5210: The Next/Previous buttons fail on Products that have an ampersand in the Product Code
    Last edited by Rick Wilson; 05-10-10, 09:56 AM.

    Rick Wilson
    Miva, Inc.
    [email protected]

    Re: Miva Merchant Production Release 7 (aka Wombat) Is Released - Part 2

    5211: Missing tr tag from first row of tabs in DrawTabs
    5215: PopupFileUpload() contains misspelled encodeURIComponent()
    5216: Account links use non-secure urls
    5222: Runtime >> The Logout Link on Customer Edit screen should be using secure_sessionurl
    5223: MMUI >> Runtime >> Customer Account page only shows up on Customer Login
    5233: Encryption Keys created through provisioning have empty passphrases
    5235: Cannot assign an attribute template to a product more than once
    5239: Chase AVS only allows US, UK, CA and GB
    5240: Currency, tax, or UI modules cannot create self-referential items during installation
    5241: TemplateManager_Create_Page_LowLevel aborts page creation if items from Template_Items do not exist
    5242: Importing Category header/footer from flat file does not create compiled template file
    5243: XSS: Custom_Fields[n]:name on category batch edit screen
    5244: XSS: Submit_Config_Data:login_url on Miva Merchant Submit Configuration screen
    5245: XSS: Order_Search on Legacy Order Processing batch edit screen
    5246: XSS: Custom_Fields[n]:name on customer batch edit screen
    5247: XSS: subTab on google checkout configuration screen
    5248: XSS: Shipping_MvFedEx_Services[n]:name on shipping configuration screen
    5249: XSS: Shipping_USPS_DomMethods[n]:name on shipping configuration screen
    5250: XSS: Shipping_USPS_IntMethods[n]:name on shipping configuration screen
    5251: XSS: Custom_Fields[n]:name on product batch edit screen
    5252: XSS: Product List components on settings:fields_custom[n]:name
    5253: XSS: Category Tree/List components: settings:fields_custom[n]:name
    5256: XSS: Product Display components: settings:fields_custom[n]:name
    5257: XSS: cmp-mmui-buttons: MMUI_Buttons[n]:prompt
    5258: category_list tab has an infinite loop in admin
    5259: product_list tab has infinite loop in admin
    5270: Custom field provisioning does not verify that the module is installed in the store being provisioned
    5293: After deleting a module, control should return to the module batch edit screen
    5294: PayPalPro returns no report fields
    5309: The copyright dates should be updated.
    5313: Canadian VAT not calculating properly
    5314: Cannot enable product inventory and set stock level in the same tag
    5316: No provisioning for domain SEO settings
    5320: remove.mvc not removing tables
    5322: InventoryProductSettings_Update does not set proper defaults for non-present optional tags when enabling inventory
    5323: PayPal IPN - Shipping Address that's entered on PayPal's side, does not come back to Miva Merchant.
    5324: Future PRV_Tag_Date dates are generated with incorrect daylight savings time adjustment
    5339: AttributeTemplates.d.refcount not updated
    5343: Cannot swap between attribute templates via product update provisioning
    5346: SkinsComponentModule_Export fails to export content from more than one item
    5347: Pages' IDs, codes and names are not available to the template language at runtime
    5348: When modifying a page during uninstall, a module must remove references to all its items
    5349: Framework install code fails to apply templates for components with multiple items
    5352: NTFD page outputs 200 Success Status code (was: Need to create page-level custom HTTP header component)
    5362: prodimpt: Setting the Track Product Inventory field to "No" does not remove relevant records.
    5366: UPS is still using the old URL
    5371: Code which pre-populates UpgradeInstalledPatches was not merged from feature-upg-4
    5375: PayPal Pro was missing the build_ident tag.
    5378: Flat file import modules allow invalid email addresses for password recovery email field
    5379: Admin_Open_Store does not load any information about the UI module
    5380: Store_Open: g.Store_Framework_Inuse code is inefficient and inexact
    5407: USPS Online Rate Calculation is allowing bolded fields to contain empty values
    5416: Order Encryption allows creation of keys with whitespace as prompts
    5419: Edit Store >> Maintenance Mode tab >> Warning and Maintenance Messages should be top aligned.
    5457: Customer, category, and order export modules do not validate the user-defined email address field
    5458: SEO settings functions aren't encoding ampersands when generating traditional links
    5459: MMUI Sitemap component has duplicate Miva Merchant footer link in its default template
    5465: cmp-mmui-orderlist: Component does not reset to point + click mode from advanced mode via provisioning
    5470: MMUI: Sitemap page doesn't support css_fw
    5471: Edit Product: Cannot assign an attribute template to a product if it has a colon (:) in its code
    5473: references
    5482: cusimpt: Does not validate customer login
    5495: Payment Configuration Wizard is displaying invalid characters
    5499: cbamazon: Shipping Method descriptions use Amazon service levels instead of Merchant configured descriptions
    5524: cswizard: Creates encryption keys with empty passphrase

    Rick Wilson
    Miva, Inc.
    [email protected]


      Re: Miva Merchant Production Release 7 (aka Wombat) Is Released - Part 3

      Other Changes

      New order management functionality:
      - Tracking of order and order item status.
      - Backorder management.
      - Support for multiple shipments in a single order.
      - Orders may now be created, updated, and otherwise manipulated through the administrative interface.
      - Streamlined user interface for easy integration into an existing order processing workflow.
      - Template-based shipment picklist.
      - RMA generation and return shipment processing functionality.
      - New modules allow notifications to be sent when orders are shipped or RMAs are issued or received.
      - The previous order management interface is still available as """Legacy Order Processingé─¨ under the Utilities item in the left navigation window.

      Support for advanced payment processing operations:
      - Multiple payment transactions may now be associated with a single order.
      - Support for split capture, refunds, and voids.
      - All modules may be used for simple authorization and capture. The following modules support the advanced payment operations:
      - CHASE Paymentech Orbital Gateway
      - Innovative Gateway
      - Order history and status functionality has been added to the shopping interface.
      - Customers may view their order history using their Customer account, or look up order history based on billing email address and zip code.
      - Encryption private keys are now (optionally) stored in a separate database from the encrypted data, as required by PA-DSS.
      - Address Line 2 is now available, with an API compatibility layer for interoperability with old 3rd-party modules.
      - Shipping labels may now be generated from inside the administrative interface for USPS and UPS.
      - An entirely new CSS-based user interface is now available, and is the default option for newly created stores.
      - Redesigned Import and Export module user interfaces.
      - Inventory availability and dynamic pricing may now be controlled at the attribute level:
      - A new setting (the I column) on the Attributes tab allows attributes to be flagged as Inventory Attributes, and two new tabs on the Edit Product screen are now available for configuring combinations of attributes.
      - A new StoreMorph item, "attributemachine", provides functionality to automatically enable/disable attribute values and display live inventory and dynamic pricing.
      - Newly added "Active" button on the Product Batch Edit screen allows the user to display only products that are marked as active. This is now the default setting.
      - If a secure URL to the administrative interface is configured, a redirect is now used to force administrative users to log in securely. For debugging/repair purposes, the redirect may be avoided by appending "NonSecureMode=1" to the URL.
      - Runtime customer and affiliate login error messages are now more ambiguous to avoid leaking sensitive information.
      - Provisioning functionality is now available for the domain country list.
      - Administrative interface audit logging using the UNIX syslog() facility has been added for PA-DSS compliance, when using the 5.07 engine. A new Domain table column, "log_fac", controls the logging facility used for these messages. The default is "local2".
      - A new PA-DSS Checklist tab has been added to the Domain Settings screen. This tab will verify that the software has been configured according to our PCI Implementation Guide.
      - The creation date of order encryption keys is now tracked so that the keys may be rotated on a regular basis, as required for PA-DSS. The creation date is displayed on the Store Encryption screen, and the age of the current key is verified on the PA-DSS Checklist tab of the Domain Settings screen.
      - The minimum encryption key passphrase length is now 16 characters for newly created keys, as required for PA-DSS.
      - User supplied passphrases are now XOR'd with a software key when encrypting a private key, as required for PA-DSS.
      - Administrative sessions are now managed by two tokens. A cookie controls visual access to the administrative interface, and the parameter Session_ID now controls actions. Session_ID must be present for administrative actions to execute, and the cookie must be present to render display elements. Existing modules should not require modification as long as they use the existing admin UI API functions and the g.sessionurl or g.secure_sessionurl variables. The admin session cookies expire on both the client and server in the timeout period specified by the domain settings, and are set using the "secure" cookie flag. These changes are intended to combat session fixation, cross site request forging, and session leakage.
      - The administrative UI code now passes the Screen and Tab parameters through the URI, to make the HTTP access log more informational. Session_ID, when possible, is passed through POST parameters. New variables g.adminurl and g.secure_adminurl provide the correct URL to the administrative interface without the Session_ID parameter that is present in the sessionurl variables.
      - Removed an unnecessary MvLOCKFILE that reduced performance with a large number of concurrent admin accesses.
      - The administrative login screen and all administrative screens which collect credit card information now explicitly disallow browser autofill.
      - Modules will now fail to update if a store-table level feature (UI, Currency, or Tax) has been added or removed while the module is in use by one or more stores.
      - The Product Attribute XML export module now has an option to control whether existing attributes are deleted or updated when running the exported XML data.
      - New runtime session management system for enhanced security and to avoid cookie errors from PCI scanners.
      - New administrative settings for controlling the output of shopping interface cookies and when session identifiers are included in links.
      - Attribute templates may now be "used" on a product more than once, by specifying a unique attribute code when assigning the template to the product.
      - The "Copy?" checkbox is now hidden when editing an Attribute (it was never functional in this case).
      - Attribute and option prompts are now available through the StoreMorph tokens attr_prompt and opt_prompt.
      - SEO settings may now be configured through provisioning.
      - When using the 5.07 engine, date/time stamps properly account for daylight savings time.
      - The ID, code, and name of the current page are now available through the StoreMorph tokens page:id, page:code, and page:name for all pages.
      - A new component, cmp-mv-content, provides one or more templates that may be pulled into pages.
      - A new component, cmp-mv-http-headers and associated item http_headers allow HTTP headers to be controlled on a page. This component is used to output a 404 Not Found error on the NTFD page.
      - admin.mvc now sets g.Store_Module_UI, which contains the path to the module file providing the current store's UI
      - Full module records for Tax, Currency, and UI modules are now available in g.Store:tax_mod, g.Store:currncy_mod, and g.Store:ui_mod
      - Category parents are now validated for circular heirarchies at the database layer, in Category_Update. If a circular heirarchy is detected, the update will fail. Module developers may call Category_Validate_Parent( category var ) to perform the heirarchy validation separately.
      - Implemented the buySAFE Buyer Preference feature.
      - The Create Store Wizard now creates stores using CSSUI.

      Rick Wilson
      Miva, Inc.
      [email protected]