Production Release 7 Release Notes
Posted by Wayne Smith, Last modified by Wayne Smith on 02 April 2011 07:45 AM
Bug Fixes:

  • #479: Second Address line at checkout

  • #1220: Runtime >> Create Affiliate Account >> After an account is created, refreshing causes duplicate records

  • #1912: State based sales tax not rounding correctly

  • #4733: PayPal Pro express not sending order details


  • #4775: Displayed numeric values not rounded (WAS: ups: Handling charge is not rounded properly)

  • #4893: If Merchant5/sNN directory does not exist, components silently fail to update

  • #4903: delete_store.mv: Tables that no longer exist are still deleted

  • #4920: Launchpad buttons not assigned to a store causes a runtime error

  • #4927: prodimpt: "Delete Existing Data When Imported Data Is Empty" deletes all custom field values

  • #4929: Amazon Simple Pay - quotes in store name cause invalid signature

  • #4931: Chase PaymentTech needs to be updated to include general changes we've made to all payment modules

  • #4936: No validation of affiliate code when inserting/updating at runtime

  • #4937: No page heading for 'Add an Affiliate' in admin


  • #4942: Need to update PayFlow Pro XMLPayRequest URL.

  • #4952: Sitemap component not being exported correctly when saving a framework

  • #4953: Frameworks not implementing their contained category_tree component correctly

  • #4954: Google Checkout needs control over the Default Shipping Method

  • #4956: admin.mv: Miva_ValidateFileUpload returns 0 if OpenDataFiles fails

  • #4961: Module feature changes are not propagated to stores on update

  • #4967: Sitemap item is not exporting it's template when saving a framework

  • #4971: External CSS files are not parsed for images when exporting a framework

  • #4976: Chase only allows 30 characters in address field


  • #4977: Searching "Invoice Date" searches UNIX timestamp

  • #4988: Product export is extremely slow on MivaSQL

  • #4992: It's possible to create a circular category hierarchy in the admin

  • #4998: when importing products you can add products to categories even if you choose to Keep Existing Products

  • #4999: Product Export does not have any way to specify a delimiter

  • #5001: Attribute template options copied to to a product cannot be sorted

  • #5003: USPS trademark symbol should be changed from an ascii char to an entity

  • #5004: It is possible to create an Affiliate account with no password at runtime.

  • #5005: When custeml module is set to inactive, you cannot create a new store.


  • #5008: There is no way to provision domain countries

  • #5011: countries removed from Domain Settings -> Countries still show up during checkout

  • #5056: PCHDFT item does not remove records when the product is deleted from the Batch Edit.

  • #5057: PCHDFT item does not remove records when the category is deleted from the Batch Edit.

  • #5059: EuroVAT Product Price Includes VAT option shouldnt calculate tax for other Basket Charges

  • #5065: Buysafe bonding charges are being charged tax, but they should not be

  • #5070: Flat File Customer Export has an inconsistent header field name.

  • #5071: Flat File Product Export module doesnt have an option to specify the delimiter

  • #5072: Import/Export Product/Category need to also support Headers & Footers


  • #5086: Frameworks don't overwrite existing css files

  • #5103: Category import does not allow deletion of custom field data

  • #5104: Import Customers from Flat File does not handle custom customer fields

  • #5111: Force secure admin login when a secure URL is configured

  • #5126: Edit_Store variable can be used to create a store.

  • #5127: XSS: Add/Edit Module, Module_Module unencoded

  • #5128: XSS: Domain/LaunchPad, LaunchPadButton[n]:label/:sublabel

  • #5129: XSS: JavaScriptEncode does not prevent against HTML comment-based attacks

  • #5131: Domain: LaunchPad tab: Hidden error messages


  • #5133: Upsell Batch Edit: SQL Injection on Upsell_Search

  • #5134: Category Batch Edit Screen: XSS On Custom_Fields[n]:values

  • #5135: Category Batch Edit Screen: XSS on Category_Search

  • #5136: Groups has an XSS vulnerability on privilege/name fields.

  • #5140: Edit Page: XSS on Page_Code

  • #5141: Product Batch Edit Screen: XSS On Custom Fields variables

  • #5142: Product Batch Edit Screen: XSS on Product_Search

  • #5143: Customer Batch Edit: XSS on Custom_Fields[]:xxx

  • #5144: Product Export: XSS on Product_Check_CustomFields[n]:name


  • #5145: Customer Export: XSS on Customer_Check_CustomFields[n]:name

  • #5146: Category Export: XSS on Category_Check_CustomFields[n]:name

  • #5147: Custom Fields Module: Category tab outputs custom field name unencoded

  • #5148: cmp-mv-prodctgy-meta: XSS on category component tab

  • #5151: We need to make Runtime Login error reporting more ambiguous.

  • #5157: USPS runtime error with zip+4 for Puerto Rico

  • #5158: Module Batch Edit Screen: XSS on Module Feature List

  • #5159: Edit Category >> Custom Fields >> XSS on CFM_Fields[n]:name

  • #5160: Domain >> SEO Settings Tab >> XSS on SEO_Settings:cat_lit


  • #5161: Customers >> Edit Customer >> Custom Fields Tab >> XSS on CFM_Fields

  • #5162: SQL Injection in Google Checkout

  • #5163: Google Checkout has some XSS vulnerabilities.

  • #5164: Legacy Printer Friendly Order Screen: XSS on Edit_Store

  • #5165: Upgrade Wizard: XSS on Upgrade_Message.

  • #5166: License Manager URL for update.mvc goes to licensemgr.miva.com

  • #5167: Domain >> Launchpad tab loads the module list inefficiently.

  • #5168: Store Modules Screen: Infinite loop when g.Module_Count is not an integer

  • #5171: Admin > SEO Settings > URL Delimiter field does not validate it's input


  • #5173: CSSUI Buttons: XSS on store tab

  • #5175: cmp-mv-meta: Cross Site Scripting

  • #5176: Runtime > Edit Affiliate > Payment Date is not formatted.

  • #5180: Utilities >> Google Checkout Orders >> The Layout appears broken.

  • #5182: Denial of service attack through Product_Attribute_Count

  • #5183: Denial of service attack through Upsell_Product_Count

  • #5184: Runtime >> Affiliate Links is overwriting g.Affiliate

  • #5185: ItemModified is not cleared on Reset/Update/Delete

  • #5186: Upsell Settings: Validation error when products to show is "Unlimited"


  • #5187: malf: Multiple upsold products are not logged

  • #5193: customfields: No provisioning for category custom fields

  • #5198: Provisoning: UI Module validation errors when creating multiple stores in the same provisioning file

  • #5204: authnet orders do no show credit card type.

  • #5208: PayPalPro Payment Settings Tab hides Product_Offset twice

  • #5209: PayPalPro Product_Search is unencoded.

  • #5210: The Next/Previous buttons fail on Products that have an ampersand in the Product Code

  • #5211: Missing <tr> from first row of tabs in DrawTabs


  • #5215: PopupFileUpload() contains misspelled encodeURIComponent()

  • #5216: Account links use non-secure urls

  • #5222: Runtime >> The Logout Link on Customer Edit screen should be using secure_sessionurl

  • #5223: MMUI >> Runtime >> Customer Account page only shows up on Customer Login

  • #5233: Encryption Keys created through provisioning have empty passphrases

  • #5235: Cannot assign an attribute template to a product more than once

  • #5239: Chase AVS only allows US, UK, CA and GB

  • #5240: Currency, tax, or UI modules cannot create self-referential items during installation

  • #5241: TemplateManager_Create_Page_LowLevel aborts page creation if items from Template_Items do not exist


  • #5242: Importing Category header/footer from flat file does not create compiled template file

  • #5243: XSS: Custom_Fields[n]:name on category batch edit screen

  • #5244: XSS: Submit_Config_Data:login_url on Miva Merchant Submit Configuration screen

  • #5245: XSS: Order_Search on Legacy Order Processing batch edit screen

  • #5246: XSS: Custom_Fields[n]:name on customer batch edit screen

  • #5247: XSS: subTab on google checkout configuration screen

  • #5248: XSS: Shipping_MvFedEx_Services[n]:name on shipping configuration screen

  • #5249: XSS: Shipping_USPS_DomMethods[n]:name on shipping configuration screen

  • #5250: XSS: Shipping_USPS_IntMethods[n]:name on shipping configuration screen


  • #5251: XSS: Custom_Fields[n]:name on product batch edit screen

  • #5252: XSS: Product List components on settings:fields_custom[n]:name

  • #5253: XSS: Category Tree/List components: settings:fields_custom[n]:name

  • #5256: XSS: Product Display components: settings:fields_custom[n]:name

  • #5257: XSS: cmp-mmui-buttons: MMUI_Buttons[n]:prompt

  • #5258: category_list tab has an infinite loop in admin

  • #5259: product_list tab has infinite loop in admin

  • #5270: Custom field provisioning does not verify that the module is installed in the store being provisioned

  • #5293: After deleting a module, control should return to the module batch edit screen


  • #5294: PayPalPro returns no report fields

  • #5309: The copyright dates should be updated.

  • #5313: Canadian VAT not calculating properly

  • #5314: Cannot enable product inventory and set stock level in the same tag

  • #5316: No provisioning for domain SEO settings

  • #5320: remove.mvc not removing tables

  • #5322: InventoryProductSettings_Update does not set proper defaults for non-present optional tags when enabling inventory

  • #5323: PayPal IPN - Shipping Address that's entered on PayPal's side, does not come back to Miva Merchant.


  • #5324: Future PRV_Tag_Date dates are generated with incorrect daylight savings time adjustment

  • #5339: AttributeTemplates.d.refcount not updated

  • #5343: Cannot swap between attribute templates via product update provisioning

  • #5346: SkinsComponentModule_Export fails to export content from more than one item

  • #5347: Pages' IDs, codes and names are not available to the template language at runtime

  • #5348: When modifying a page during uninstall, a module must remove references to all its items

  • #5349: Framework install code fails to apply templates for components with multiple items

  • #5352: NTFD page outputs 200 Success Status code (was: Need to create page-level custom HTTP header component)

  • #5362: prodimpt: Setting the Track Product Inventory field to "No" does not remove relevant records.


  • #5366: UPS is still using the old mmp.miva.com URL

  • #5371: setup.mv: Code which pre-populates UpgradeInstalledPatches was not merged from feature-upg-4

  • #5375: PayPal Pro was missing the build_ident tag.

  • #5378: Flat file import modules allow invalid email addresses for password recovery email field

  • #5379: Admin_Open_Store does not load any information about the UI module

  • #5380: Store_Open: g.Store_Framework_Inuse code is inefficient and inexact

  • #5407: USPS Online Rate Calculation is allowing bolded fields to contain empty values

  • #5416: Order Encryption allows creation of keys with whitespace as prompts

  • #5419: Edit Store >> Maintenance Mode tab >> Warning and Maintenance Messages should be top aligned.


  • #5457: Customer, category, and order export modules do not validate the user-defined email address field

  • #5458: SEO settings functions aren't encoding ampersands when generating traditional links

  • #5459: MMUI Sitemap component has duplicate Miva Merchant footer link in its default template

  • #5465: cmp-mmui-orderlist: Component does not reset to point + click mode from advanced mode via provisioning

  • #5470: MMUI: Sitemap page doesn't support css_fw

  • #5471: Edit Product: Cannot assign an attribute template to a product if it has a colon (:) in its code

  • #5473: setup.mv references support.smallbusiness.miva.com

  • #5482: cusimpt: Does not validate customer login

  • #5495: Payment Configuration Wizard is displaying invalid characters


  • #5499: cbamazon: Shipping Method descriptions use Amazon service levels instead of Merchant configured descriptions



Other Changes
    New order management functionality:
  • Tracking of order and order item status.

  • Backorder management.

  • Support for multiple shipments in a single order.

  • Orders may now be created, updated, and otherwise manipulated through the administrative interface.


  • Streamlined user interface for easy integration into an existing order processing workflow.

  • Template-based shipment picklist.

  • RMA generation and return shipment processing functionality.

  • New modules allow notifications to be sent when orders are shipped or RMAs are issued or received.

  • The previous order management interface is still available as "Legacy Order Processing" under the Utilities item in the left navigation window.



    Support for advanced payment processing operations:
  • Multiple payment transactions may now be associated with a single order.

  • Support for split capture, refunds, and voids.
      All modules may be used for simple authorization and capture. The following modules support the advanced payment operations:
    • CHASE Paymentech Orbital Gateway

    • Innovative Gateway




    Order history and status functionality has been added to the shopping interface.
  • Customers may view their order history using their Customer account, or look up order history based on billing email address and zip code.




  • Encryption private keys are now (optionally) stored in a separate database from the encrypted data, as required by PA-DSS.

  • Address Line 2 is now available, with an API compatibility layer for interoperability with old 3rd-party modules.

  • Shipping labels may now be generated from inside the administrative interface for USPS and UPS.

  • An entirely new CSS-based user interface is now available, and is the default option for newly created stores.

  • Redesigned Import and Export module user interfaces.


    Inventory availability and dynamic pricing may now be controlled at the attribute level:
  • A new setting (the I column) on the Attributes tab allows attributes to be flagged as Inventory Attributes, and two new tabs on the Edit Product screen are now available for configuring combinations of attributes.

  • A new StoreMorph item, "attributemachine", provides functionality to automatically enable/disable attribute values and display live inventory and dynamic pricing.




  • Newly added "Active" button on the Product Batch Edit screen allows the user to display only products that are marked as active. This is now the default setting.

  • If a secure URL to the administrative interface is configured, a redirect is now used to force administrative users to log in securely. For debugging/repair purposes, the redirect may be avoided by appending "NonSecureMode=1" to the URL.

  • Runtime customer and affiliate login error messages are now more ambiguous to avoid leaking sensitive information.

  • Provisioning functionality is now available for the domain country list.

  • Administrative interface audit logging using the UNIX syslog() facility has been added for PA-DSS compliance, when using the 5.07 engine. A new Domain table column, "log_fac", controls the logging facility used for these messages. The default is "local2".

  • A new PA-DSS Checklist tab has been added to the Domain Settings screen. This tab will verify that the software has been configured according to our PCI Implementation Guide.

  • The creation date of order encryption keys is now tracked so that the keys may be rotated on a regular basis, as required for PA-DSS. The creation date is displayed on the Store Encryption screen, and the age of the current key is verified on the PA-DSS Checklist tab of the Domain Settings screen.

  • The minimum encryption key passphrase length is now 16 characters for newly created keys, as required for PA-DSS.


  • User supplied passphrases are now XOR'd with a software key when encrypting a private key, as required for PA-DSS.

  • Administrative sessions are now managed by two tokens. A cookie controls visual access to the administrative interface, and the parameter Session_ID now controls actions. Session_ID must be present for administrative actions to execute, and the cookie must be present to render display elements. Existing modules should not require modification as long as they use the existing admin UI API functions and the g.sessionurl or g.secure_sessionurl variables. The admin session cookies expire on both the client and server in the timeout period specified by the domain settings, and are set using the "secure" cookie flag. These changes are intended to combat session fixation, cross site request forging, and session leakage.

  • The administrative UI code now passes the Screen and Tab parameters through the URI, to make the HTTP access log more informational. Session_ID, when possible, is passed through POST parameters. New variables g.adminurl and g.secure_adminurl provide the correct URL to the administrative interface without the Session_ID parameter that is present in the sessionurl variables.

  • Removed an unnecessary MvLOCKFILE that reduced performance with a large number of concurrent admin accesses.

  • The administrative login screen and all administrative screens which collect credit card information now explicitly disallow browser autofill.

  • Modules will now fail to update if a store-table level feature (UI, Currency, or Tax) has been added or removed while the module is in use by one or more stores.

  • The Product Attribute XML export module now has an option to control whether existing attributes are deleted or updated when running the exported XML data.

  • New runtime session management system for enhanced security and to avoid cookie errors from PCI scanners.

  • New administrative settings for controlling the output of shopping interface cookies and when session identifiers are included in links.


  • Attribute templates may now be "used" on a product more than once, by specifying a unique attribute code when assigning the template to the product.

  • The "Copy?" checkbox is now hidden when editing an Attribute (it was never functional in this case).

  • Attribute and option prompts are now available through the StoreMorph tokens attr_prompt and opt_prompt.

  • SEO settings may now be configured through provisioning.

  • When using the 5.07 engine, date/time stamps properly account for daylight savings time.

  • The ID, code, and name of the current page are now available through the StoreMorph tokens page:id, page:code, and page:name for all pages.

  • A new component, cmp-mv-content, provides one or more templates that may be pulled into pages.

  • A new component, cmp-mv-http-headers and associated item http_headers allow HTTP headers to be controlled on a page. This component is used to output a 404 Not Found error on the NTFD page.

  • admin.mvc now sets g.Store_Module_UI, which contains the path to the module file providing the current store's UI


  • Full module records for Tax, Currency, and UI modules are now available in g.Store:tax_mod, g.Store:currncy_mod, and g.Store:ui_mod

  • Category parents are now validated for circular heirarchies at the database layer, in Category_Update. If a circular heirarchy is detected, the update will fail. Module developers may call Category_Validate_Parent( category var ) to perform the heirarchy validation separately.

  • Implemented the buySAFE Buyer Preference feature.

  • The Create Store Wizard now creates stores using CSSUI.


(26 vote(s))
This article was helpful
This article was not helpful

Comments (0)
Post a new comment
 
 
Full Name:
Email:
Comments:
CAPTCHA Verification 
 
Please enter the text you see in the image into the textbox below. This is required to prevent automated registrations and form submissions.

Help Desk Software by Kayako support.miva.com/supportsuite/index.php?