m5 old links



I swore I sent this earlier but it seems I didn't.

You don't need an SFL program to allow old SFL type links to work
with MIVA Merchant 5, all you need are some good rewrite rules
written.

Generating the urls in that style in the store is where you need
a module, or code changes, or template changes, or whatever.

For example:

Normal url generated something like this:

"{ g.someglobalvar $ 'screen=3DCTGY&Category_Code=3D' g.category_code
}"

Results in something like this:

somesite.com/mm5/merchant.mvc?store_code=3Dmystore&screen=3DCTGY&Ca te
gory_Code=3Ddvds

SFL style link is something like this:

somesite.com/page/mystore/CTGY/dvds

rewrite rule is something like this:

.*/page/(.*)/CTGY/(.*)/$
/mm5/merchant.mvc?store_code=3D$1&screen=3DCTGY&categor y_code=3D$2

An SFL style url to a product page is something like this

somesite.com/page/mystore/PROD/DA001

rewrite rule needs to be something like this:

.*/page/(.*)/PROD/(.*)/(.*)/$
/mm5/merchant.mvc?store_code=3D$1&screen=3DPROD&product _code=3D$3&categ
ory_code=3D$2

But to make all your pages generate urls like that you need to
edit the templates containing the urls.

For the product list for example the code is like this:

<a
href=3D"&mvt:global:sessionurl;Screen=3DPROD&Store _Code=3D&mvta:global:
Store_Code;&Product_Code=3D&mvta:product:code;&Cat egory_Code=3D&mvta:
global:Category_Code;">&mvt:product:code;</a>

You need to change it to something like this:

<a
href=3D"http://yoursite.com/page/&mvta:global:Store_Code;/PROD/&mvt
a:global:Category_Code;/&mvta:product:code;">&mvt:product:code;</
a>

If you were going to do such editing there are much better styles
of urls to use than the SFL style, having urls with full names of
categories and products is much better from an SEO stand point.
For example we have made manual changes to clients' 4.x MMUI
stores very quickly and easily that allows urls like:

site.com/some-descriptive-category-code-here.html
site.com/some-long-programaticly-altered-to-add-dashes-product-na
me-here_sku.html

The rewrite rules to convert such urls to Miva Merchant pages are
simple.

But anyway back to MM5, there are some challenges in that certain
urls aren't readily available in the templates, most notably the
category tree, but you can either replace the module that
controls the category tree, use a hard coded one, or there may be
other options that could be come up with after a bit of thinking.
Also there are limitations in the token language in that you
can't use Miva script directly so for fancy rewritten urls the
creation of a small module that does the rewrite that can be
loaded as an item and then referenced on the pages would probably
be the way to go for fancy urls like the ones we normally do in
old 4.x MMUI stores.

Anyway I hope these thoughts help.

- Jeff Huber
President, 4TheBest eCommerce Solutions
http://4TheBest.com
[email protected]
Office: 760-742-1469
Cell: 760-445-8454
=20


-----Original Message-----
From: [email protected]
[mailto:[email protected]] On Behalf Of Jen
Ferraz
Sent: Tuesday, May 03, 2005 9:23 AM
To: [email protected]
Subject: RE: [m5u] m5 old links


John:

You can create new Pages with the same
codes as you have used in the Viking module.
The SFL links will be dependent on the availability
of a similar module for MM5.



Jen
Hostasaurus.Com
Miva Premier Hosting Partner
813.971.8772
[email protected]


-----Original Message-----
From: [email protected]
[mailto:[email protected]] On Behalf Of John
Fischer
Sent: Tuesday, May 03, 2005 12:22 PM
To: [email protected]
Subject: [m5u] m5 old links


Group-
I have a store that depends on the millions of links scattered
all over
the
internet. For example, Google alone has over 90,000 pages indexed
in my
site
these are Merchant style links, and SFL links as well as static
pages
and
Viking coders additional screens pages with SFL link styles and
Merchant
links.

When I migrate how can I ensure all of these links will still
work?

Cheers,
John

m5 old links



This is very true, but some users will be saved from hell if they have the
upgrade to account for possibly thousands of sfl links already indexed by
the search engines. Purchasing a $40 upgrade would be well worth it. When
we take on new clients with sfl already, we don't remove sfl if we implement
a new link style. We simply add it in addition to sfl. Unlike the
misinformation that goes around sometimes, having two different styles going
to the same content is not going to kill you.

Jason


I swore I sent this earlier but it seems I didn't.

You don't need an SFL program to allow old SFL type links to work
with MIVA Merchant 5, all you need are some good rewrite rules
written.

Generating the urls in that style in the store is where you need
a module, or code changes, or template changes, or whatever.

For example:

Normal url generated something like this:

"{ g.someglobalvar $ 'screen=CTGY&Category_Code=' g.category_code
}"

Results in something like this:

somesite.com/mm5/merchant.mvc?store_code=mystore&screen=CTGY&Cate
gory_Code=dvds

SFL style link is something like this:

somesite.com/page/mystore/CTGY/dvds

rewrite rule is something like this:

.*/page/(.*)/CTGY/(.*)/$
/mm5/merchant.mvc?store_code=$1&screen=CTGY&category_co de=$2

An SFL style url to a product page is something like this

somesite.com/page/mystore/PROD/DA001

rewrite rule needs to be something like this:

.*/page/(.*)/PROD/(.*)/(.*)/$
/mm5/merchant.mvc?store_code=$1&screen=PROD&product_cod e=$3&categ
ory_code=$2

But to make all your pages generate urls like that you need to
edit the templates containing the urls.

For the product list for example the code is like this:

<a
href="&mvt:global:sessionurl;Screen=PROD&Store_Cod e=&mvta:global:
Store_Code;&Product_Code=&mvta:product:code;&Categ ory_Code=&mvta:
global:Category_Code;">&mvt:product:code;</a>

You need to change it to something like this:

<a
href="http://yoursite.com/page/&mvta:global:Store_Code;/PROD/&mvt
a:global:Category_Code;/&mvta:product:code;">&mvt:product:code;</
a>

If you were going to do such editing there are much better styles
of urls to use than the SFL style, having urls with full names of
categories and products is much better from an SEO stand point.
For example we have made manual changes to clients' 4.x MMUI
stores very quickly and easily that allows urls like:

site.com/some-descriptive-category-code-here.html
site.com/some-long-programaticly-altered-to-add-dashes-product-na
me-here_sku.html

The rewrite rules to convert such urls to Miva Merchant pages are
simple.

But anyway back to MM5, there are some challenges in that certain
urls aren't readily available in the templates, most notably the
category tree, but you can either replace the module that
controls the category tree, use a hard coded one, or there may be
other options that could be come up with after a bit of thinking.
Also there are limitations in the token language in that you
can't use Miva script directly so for fancy rewritten urls the
creation of a small module that does the rewrite that can be
loaded as an item and then referenced on the pages would probably
be the way to go for fancy urls like the ones we normally do in
old 4.x MMUI stores.

Anyway I hope these thoughts help.

- Jeff Huber
President, 4TheBest eCommerce Solutions
http://4TheBest.com
[email protected]
Office: 760-742-1469
Cell: 760-445-8454



-----Original Message-----
From: [email protected]
[mailto:[email protected]] On Behalf Of Jen
Ferraz
Sent: Tuesday, May 03, 2005 9:23 AM
To: [email protected]
Subject: RE: [m5u] m5 old links


John:

You can create new Pages with the same
codes as you have used in the Viking module.
The SFL links will be dependent on the availability
of a similar module for MM5.



Jen
Hostasaurus.Com
Miva Premier Hosting Partner
813.971.8772
[email protected]


-----Original Message-----
From: [email protected]
[mailto:[email protected]] On Behalf Of John
Fischer
Sent: Tuesday, May 03, 2005 12:22 PM
To: [email protected]
Subject: [m5u] m5 old links


Group-
I have a store that depends on the millions of links scattered
all over
the
internet. For example, Google alone has over 90,000 pages indexed
in my
site
these are Merchant style links, and SFL links as well as static
pages
and
Viking coders additional screens pages with SFL link styles and
Merchant
links.

When I migrate how can I ensure all of these links will still
work?

Cheers,
John

m5 old links



Hi Markus,

As with all things legal, there is more complexity to things than
there sometimes seems.

You may be right that there is an issue but what one part of
their site says seems to contradict what the other says.

Specifically to your point though, Miva doesn't require MySQL to
be installed to use their software it is one of the OPTIONS.

The word MUST carries a lot of weight in legal documents, and I
think it is clear that people are not required to install MySQL
to use Miva Merchant.

I am not a lawyer, and I don't KNOW what the case is, but my
reading of the licenses makes me feel safe that end-users don't
need a commercial license.

I certainly am interested in hearing more of your, or other
peoples thoughts on this issue though, because I would hate to be
wrong:)



- Jeff Huber
President, 4TheBest eCommerce Solutions
http://4TheBest.com
[email protected]
Office: 760-742-1469
Cell: 760-445-8454
=20


-----Original Message-----
From: MvMarkus [mailto:[email protected]]=20
Sent: Tuesday, May 03, 2005 2:06 PM
To: 'Jeff Huber - Listmail'; 'David Hubbard';
[email protected]
Subject: RE: [m5u] m5 old links


Hi Jeff,

I hate to contradict you, but the MySQL-terms when a commercial
license is
required are quite clear:

=20
<A HREF ="http://www.mysql.com/company/legal/licensing/commercial-license.h">http://www.mysql.com/company/legal/licensing/commercial-license.h</A>
tml

Among others, this states that a commercial license is required
for "Selling
software that requires customers to install MySQL themselves on
their own
machines."=20

or

"If you develop and distribute a commercial application and as
part of
utilizing your application, the end-user must download a copy of
MySQL; for
each derivative work, you (or, in some cases, your end-user) need
a
commercial license for the MySQL server and/or MySQL client
libraries."



The point is that neither you, nor I, nor anybody else except
Miva and MySQL
ABE can clearly answer this question, and this is the EXACTLY
reason why I
posted it as "questions to be answered by Miva Corp". I think it
is indeed
very important (and only fair) to know exactly who is supposed to
get such
license - the user, the ISP, Miva Corp? It might very well be
possible (yet
quite unlikely) that they have some kind of agreement in place
that releaves
endusers or ISPs from a commercial license (NuSphere for example
bought
distribution rights and paid 3/4 of a million dollars), and there
are also
special provisions for PHP apps or ISPs, and some operating
systems might
even have a commercial MySQL in their package.=20

I'm quite certain that Miva's position is "if you want to use
MySQL, it's
your responsibility to be in compliance with any third party
software" -
which is okay, I just want to know to have some clarity on this
issue.=20

markus

If I misunderstood what you were trying to say than I apologize.





-----Original Message-----
From: [email protected]
[mailto:[email protected]] On Behalf Of Jeff
Huber -
Listmail
Sent: Tuesday, May 03, 2005 4:39 PM
To: 'David Hubbard'; [email protected]
Subject: RE: [m5u] m5 old links

Whether MIVA may or may not need a license is something we
naturally can't
KNOW, but I would assume that they crossed all the t's and dotted
all i's
before releasing their stuff.

As for the end user of MIVA Merchant this is a complete non-issue
because
MySQL makes it clear that: "Free use for those who never copy,
modify or
distribute. As long as you never distribute the MySQL Software in
any way,
you are free to use it for powering your application,
irrespective of
whether your application is under GPL license or not."

So if you are an end user of MIVA Merchant there is no license
needed to
choose the MySQL option over the Mivasql option.

You have to remember that the GPL is more about source code
modification
access than use access. They want to make sure people don't take
the MySQL
source code and incorporate it into an application if that
application isn't
a GPL application.

End user are not doping anything at all even vaguely like that,
all they are
doing is using it.

Now, if SuperServers.com offers to sell a server to you that
includes a
fancy control panel they wrote that integrates with MySQL built
in then they
need to read carefully the GPL and see if they need a commercial
license
before they start selling that server, or they need to make sure
the release
all their source code and license everything under GPL

Two totally different types of things.

- Jeff Huber
President, 4TheBest eCommerce Solutions
http://4TheBest.com
[email protected]
Office: 760-742-1469
Cell: 760-445-8454
=20

-----Original Message-----
From: [email protected]
[mailto:[email protected]] On Behalf Of
David Hubbard
Sent: Tuesday, May 03, 2005 11:59 AM
To: [email protected]
Subject: RE: [m5u] m5 old links


From: [email protected]=20
>=20
=20
>=20
> 1.) Compiler: When will a new compiler be released (if at all)?
Will=20
> there be any costs involved?

There is one, but I don't know if that's what Miva is currently
shipping
people who buy it.

> 2.) MM5/MySQL licensing issues: Do we need to purchase our own=20
> commercial license of MySQL, do ISPs have to offer commercial
license,=20
> or has Miva Corp. an agreement with MySQL ABE in place that
covers the=20
> end-users?

If Miva has used code from MySQL in Empresa 5 then they need to
license it;
I haven't seen a response on whether that is the case though.
Empresa 5 can
talk to mysql natively without client libraries on the system so
it
definitely has someone's code internal to it that allows
communications with
mysql servers. If the code draws on MySQL's client code in any
way, they
need to commercially license it.

On the server side, the way the license is worded, it says "If
you include
the MySQL server with an application that is not licensed under
the GPL or
GPL-compatible license, you need a commercial license for the
MySQL server."
So it's best to contact them to see how your intended use would
be
interpreted.

=20
> 3.) A statement (confirmation) reg. bug reports only being
accepted=20
> from members of Miva's support plan, and in such case clear=20
> instructions how to submit critical bugs (like security issues)
if one=20
> is not a member of such a support plan. Obviously, I'd like to
see=20
> that Miva is still committed to listen to those issues without=20
> requiring any upfront payments.

I don't agree with charging for bug reporting but at the same
time, knowing
Miva's size and configuration, I think they do need a way to have
support
staff chasing what people would likely report as bugs all day,
especially
with Merchant 5 since a bug could easily be introduced by a
customer
modifying a template in some way. It could take extensive time
per bug
report just to determine that the issue is not a bug, and there
is no way
Miva could deal with that. So having a policy that requires bugs
be
filtered through hosts could work, and most who buy retail
licenses often
buy support anyway so they'd be covered too. I think this bug
reporting fee
will not be a major issue even though it sounds ugly when reading
it.
=20
> 4.) Does the new template mechanism in MM5 require a compiler
on the=20
> server, does Empresa handle the precompilation or are these=20
> interpreted scripts that don't require real compilation?

It recompiles them on the server internally, no extra software
other than
mm5 and Empresa 5.

> 5.) Will there be an upgrade pricing for MM5 for existing users
of MM4=20
> and earlier or will it only be sold as a completely new
product?

I believe Miva's upgrade license price is not changing from what
it
currently is for upgrading to 4.24 from a prior major release;
$400 from
mivacentral. We're offering our customers lower cost options as
I'm sure
the other hosts are too.
=20
>=20
> Most MM5 related questions (changes, new features, availability
of=20
> payment gateways) are probably covered by the docs and your
webpages,=20
> or, since the official release date is only on May 16 ( which I
just=20
> learned today from David), will be addressed at that occasion
or by=20
> the module developers themselves.

Most of the default Miva modules are still present so there is
not a huge
change there.

David

m5 old links



Markus,

I haven't dug into the MivaSQL too much yet but since it uses the same old
native file locking routine that it used to use my guess is that it will be
as secure as it used to be. The SQL it uses is just another way of talking
to its databases (laymans).

Speculating.... any "Injection Hacks" as you state would only be related to
the use of MySQL with Miva Merchant. I would have to do some reading but my
hacker educated guess tells me that this would require an open MySQL port
and other tools.

Let me sum this up.... there should never be an open MySQL port to the
outside world. Miva and other scripts should be required to connect to
localhost for connectivity. Yes, most hosts have this port open and not
blocked at the firewall. I can't speak for the others but we do not as it
isn't allowed through the firewall.


Wil Hatfield
HyperConX Customer Care

HyperConX International - <A HREF ="http://www.hyperconx.com">http://www.hyperconx.com</A>
1.800.894.3613 - Toll Free in the US and Canada

Check out the all new Miva Pages:
<A HREF ="http://www.hyperconx.com/miva/">http://www.hyperconx.com/miva/</A>

Premium e-commerce hosting, 24/7 technical support, toll free
support lines for your convenience, great low cost packages to
choose from, Authorize.Net Direct retailer, need high-speed
connectivity well we have that too. Everything a business
needs to succeed. Host with the Pros and sell like one too!




-----Original Message-----
From: MvMarkus [mailto:[email protected]]
Sent: Tuesday, May 03, 2005 1:09 PM
To: 'Wil Hatfield'; [email protected]
Subject: RE: [m5u] m5 old links


Dear Wil, David,

Thanks a lot for these answers, they're very helpful.

A last word to the bug reports: As you suggested, Wil, I certainly won't
hesitate to send a report to bugs@... if I ever detect one, but of course
I'd like to know that they are taken into consideration, especially since
with v5 there are new potential vulernabilities through SQL injection hacks
that we have never faced before. Considering that most major problems in
PHP/ASP scripts originate right there (and lack of input sanitation, which
then often allows for a SQL hack), I believe that an aggressive and "open"
stance from Miva's side to address those issues is the only way
Miva/Merchant's database layer can remain as secure as we knew it for years.


For that reason, the recent posting about "paying to report bugs" troubled
me quite a bit. But again, I am really only talking about real bugs and
vulnerabilities; not templating/usability issues, and I agree with David
that there will be cases where it's not going to be clear how to interpret a
reported problem.

So I still have my hopes up that the people in San Diego will not ignore a
message that indicates some nasty SQL injection through a cookie... I
certainly don't want to find the public posting of an exploit of such
vulernability during my weekly readings of @RISK (SANS Institute).

markus






-----Original Message-----
From: [email protected]
[mailto:[email protected]] On Behalf Of Wil Hatfield
Sent: Tuesday, May 03, 2005 3:23 PM
To: MvMarkus; [email protected]
Subject: RE: [m5u] m5 old links

Well David already did a great job answering. My additions follow:

3. Now that Miva has some money and more proactive staff they have been
being very good about keeping on top of the bugs. They even hired in James
one of the best guys for the job who will be in charge of many things and I
believe making sure those bugs get fixed is one of them even if through
deligation. Here is a good resource... [email protected].

4. In laymans terms, when you modify the "pages" aka "screen layout" in MIVA
Merchant 5 Admin and click the Update button the "page" is compiled directly
into the MM5 software. No compiler required unless you are building your own
external applications or modules.

5. Special upgrade pricing will be available to existing customers. New
customers already get a new MM5 capable license key when they come to us, so
everyone is covered.

Thanks for your perspective and questions. I am going to put together an
"Inside MIVA Merchant 5" page shortly and am glad to have the input so I
know what kind of questions are out there.


Wil Hatfield
HyperConX Customer Care

HyperConX International - <A HREF ="http://www.hyperconx.com">http://www.hyperconx.com</A>
1.800.894.3613 - Toll Free in the US and Canada

Check out the all new Miva Pages:
<A HREF ="http://www.hyperconx.com/miva/">http://www.hyperconx.com/miva/</A>

Premium e-commerce hosting, 24/7 technical support, toll free support lines
for your convenience, great low cost packages to choose from, Authorize.Net
Direct retailer, need high-speed connectivity well we have that too.
Everything a business needs to succeed. Host with the Pros and sell like one
too!




-----Original Message-----
From: [email protected]
[mailto:[email protected]]On Behalf Of MvMarkus
Sent: Tuesday, May 03, 2005 11:28 AM
To: 'Wil Hatfield'; [email protected]
Subject: RE: [m5u] m5 old links


Hi Wil,

Thanks for the links. The questions that I referred to regard mainly issues
that are only indirectly related to MM5:

(I'm just putting together some that I remember right out of the back of my
mind, others will certainly have many others, and probably more MM or module
specific questions. The purpose is not to start another public discussion,
but simply to get some straight and simple answers from official side).

1.) Compiler: When will a new compiler be released (if at all)? Will there
be any costs involved?

2.) MM5/MySQL licensing issues: Do we need to purchase our own commercial
license of MySQL, do ISPs have to offer commercial license, or has Miva
Corp. an agreement with MySQL ABE in place that covers the end-users?

3.) A statement (confirmation) reg. bug reports only being accepted from
members of Miva's support plan, and in such case clear instructions how to
submit critical bugs (like security issues) if one is not a member of such a
support plan. Obviously, I'd like to see that Miva is still committed to
listen to those issues without requiring any upfront payments.

4.) Does the new template mechanism in MM5 require a compiler on the server,
does Empresa handle the precompilation or are these interpreted scripts that
don't require real compilation?

5.) Will there be an upgrade pricing for MM5 for existing users of MM4 and
earlier or will it only be sold as a completely new product?


Most MM5 related questions (changes, new features, availability of payment
gateways) are probably covered by the docs and your webpages, or, since the
official release date is only on May 16 ( which I just learned today from
David), will be addressed at that occasion or by the module developers
themselves.

Thanks,

Markus






-----Original Message-----
From: [email protected]
[mailto:[email protected]] On Behalf Of Wil Hatfield
Sent: Tuesday, May 03, 2005 1:27 PM
To: MvMarkus; [email protected]
Subject: RE: [m5u] m5 old links

What questions did you have that weren't covered in the docs?

<A HREF ="http://www.hyperconx.com/software/miva-merchant-5.phtml">http://www.hyperconx.com/software/miva-merchant-5.phtml</A>


Wil Hatfield
HyperConX Customer Care

HyperConX International - <A HREF ="http://www.hyperconx.com">http://www.hyperconx.com</A>
1.800.894.3613 - Toll Free in the US and Canada

Check out the all new Miva Pages:
<A HREF ="http://www.hyperconx.com/miva/">http://www.hyperconx.com/miva/</A>

Premium e-commerce hosting, 24/7 technical support, toll free support lines
for your convenience, great low cost packages to choose from, Authorize.Net
Direct retailer, need high-speed connectivity well we have that too.
Everything a business needs to succeed. Host with the Pros and sell like one
too!




-----Original Message-----
From: [email protected]
[mailto:[email protected]]On Behalf Of MvMarkus
Sent: Tuesday, May 03, 2005 9:44 AM
To: 'David Hubbard'; [email protected]
Subject: RE: [m5u] m5 old links


I still have the hope that yesterday wasn't the official release... Meaning:
I hope they'd at least make a public and official annoucement and answer
some of the questions that were asked here over the past weeks, to set an
end to all the FUD and speculations.

Markus




-----Original Message-----
From: [email protected]
[mailto:[email protected]] On Behalf Of David Hubbard
Sent: Tuesday, May 03, 2005 12:37 PM
To: [email protected]
Subject: RE: [m5u] m5 old links

It was just released yesterday, I would suspect they will eventually be
releasing many things like that which store owners consider mandatory.

David

> -----Original Message-----
> From: [email protected]
> [mailto:[email protected]] On Behalf Of John
> Fischer
> Sent: Tuesday, May 03, 2005 12:35 PM
> To: [email protected]
> Subject: RE: [m5u] m5 old links
>
> Well I can't migrate to Miva till a M5 SFL is released
>
> Anybody else in that boat?
>
> Is Miva going to ignore us on this issue?
>
>
>
>

m5 old links



IMHO: The main place SFL is needed is in the category tree since there is no
way to edit the category tree yet except by replacing it. And then you don't
get a category tree just a static menu. But I believe this too will become
a thing of the past since and editable category tree is already being
considered by Miva Dev.


Wil Hatfield
HyperConX Customer Care

HyperConX International - <A HREF ="http://www.hyperconx.com">http://www.hyperconx.com</A>
1.800.894.3613 - Toll Free in the US and Canada

Check out the all new Miva Pages:
<A HREF ="http://www.hyperconx.com/miva/">http://www.hyperconx.com/miva/</A>

Premium e-commerce hosting, 24/7 technical support, toll free
support lines for your convenience, great low cost packages to
choose from, Authorize.Net Direct retailer, need high-speed
connectivity well we have that too. Everything a business
needs to succeed. Host with the Pros and sell like one too!




-----Original Message-----
From: [email protected]
[mailto:[email protected]]On Behalf Of Jeff Huber -
Listmail
Sent: Tuesday, May 03, 2005 2:24 PM
To: 'Jen Ferraz'; [email protected]
Subject: RE: [m5u] m5 old links


I swore I sent this earlier but it seems I didn't.

You don't need an SFL program to allow old SFL type links to work
with MIVA Merchant 5, all you need are some good rewrite rules
written.

Generating the urls in that style in the store is where you need
a module, or code changes, or template changes, or whatever.

For example:

Normal url generated something like this:

"{ g.someglobalvar $ 'screen=CTGY&Category_Code=' g.category_code
}"

Results in something like this:

somesite.com/mm5/merchant.mvc?store_code=mystore&screen=CTGY&Cate
gory_Code=dvds

SFL style link is something like this:

somesite.com/page/mystore/CTGY/dvds

rewrite rule is something like this:

.*/page/(.*)/CTGY/(.*)/$
/mm5/merchant.mvc?store_code=$1&screen=CTGY&category_co de=$2

An SFL style url to a product page is something like this

somesite.com/page/mystore/PROD/DA001

rewrite rule needs to be something like this:

.*/page/(.*)/PROD/(.*)/(.*)/$
/mm5/merchant.mvc?store_code=$1&screen=PROD&product_cod e=$3&categ
ory_code=$2

But to make all your pages generate urls like that you need to
edit the templates containing the urls.

For the product list for example the code is like this:

<a
href="&mvt:global:sessionurl;Screen=PROD&Store_Cod e=&mvta:global:
Store_Code;&Product_Code=&mvta:product:code;&Categ ory_Code=&mvta:
global:Category_Code;">&mvt:product:code;</a>

You need to change it to something like this:

<a
href="http://yoursite.com/page/&mvta:global:Store_Code;/PROD/&mvt
a:global:Category_Code;/&mvta:product:code;">&mvt:product:code;</
a>

If you were going to do such editing there are much better styles
of urls to use than the SFL style, having urls with full names of
categories and products is much better from an SEO stand point.
For example we have made manual changes to clients' 4.x MMUI
stores very quickly and easily that allows urls like:

site.com/some-descriptive-category-code-here.html
site.com/some-long-programaticly-altered-to-add-dashes-product-na
me-here_sku.html

The rewrite rules to convert such urls to Miva Merchant pages are
simple.

But anyway back to MM5, there are some challenges in that certain
urls aren't readily available in the templates, most notably the
category tree, but you can either replace the module that
controls the category tree, use a hard coded one, or there may be
other options that could be come up with after a bit of thinking.
Also there are limitations in the token language in that you
can't use Miva script directly so for fancy rewritten urls the
creation of a small module that does the rewrite that can be
loaded as an item and then referenced on the pages would probably
be the way to go for fancy urls like the ones we normally do in
old 4.x MMUI stores.

Anyway I hope these thoughts help.

- Jeff Huber
President, 4TheBest eCommerce Solutions
http://4TheBest.com
[email protected]
Office: 760-742-1469
Cell: 760-445-8454



-----Original Message-----
From: [email protected]
[mailto:[email protected]] On Behalf Of Jen
Ferraz
Sent: Tuesday, May 03, 2005 9:23 AM
To: [email protected]
Subject: RE: [m5u] m5 old links


John:

You can create new Pages with the same
codes as you have used in the Viking module.
The SFL links will be dependent on the availability
of a similar module for MM5.



Jen
Hostasaurus.Com
Miva Premier Hosting Partner
813.971.8772
[email protected]


-----Original Message-----
From: [email protected]
[mailto:[email protected]] On Behalf Of John
Fischer
Sent: Tuesday, May 03, 2005 12:22 PM
To: [email protected]
Subject: [m5u] m5 old links


Group-
I have a store that depends on the millions of links scattered
all over
the
internet. For example, Google alone has over 90,000 pages indexed
in my
site
these are Merchant style links, and SFL links as well as static
pages
and
Viking coders additional screens pages with SFL link styles and
Merchant
links.

When I migrate how can I ensure all of these links will still
work?

Cheers,
John

m5 old links



Injection attacks occur when scripts don't
validate input correctly and allow a malformed user=20
MySQL statement to be passed to the database.
This was a recent problem with phpBB. The
only port it requires to be open is 80.

Here's an article you can read the explains it
<A HREF ="http://www.devarticles.com/c/a/MySQL/SQL-Injection-Attacks-Are-You-Safe/">http://www.devarticles.com/c/a/MySQL/SQL-Injection-Attacks-Are-You-Safe/</A>



Jen
Hostasaurus.Com
Miva Premier Hosting Partner
813.971.8772
[email protected]


-----Original Message-----
From: [email protected]
[mailto:[email protected]] On Behalf Of Wil
Hatfield
Sent: Tuesday, May 03, 2005 6:34 PM
To: MvMarkus; [email protected]
Subject: RE: [m5u] m5 old links


Markus,

I haven't dug into the MivaSQL too much yet but since it uses the same
old
native file locking routine that it used to use my guess is that it will
be
as secure as it used to be. The SQL it uses is just another way of
talking
to its databases (laymans).

Speculating.... any "Injection Hacks" as you state would only be related
to
the use of MySQL with Miva Merchant. I would have to do some reading but
my
hacker educated guess tells me that this would require an open MySQL
port
and other tools.

Let me sum this up.... there should never be an open MySQL port to the
outside world. Miva and other scripts should be required to connect to
localhost for connectivity. Yes, most hosts have this port open and not
blocked at the firewall. I can't speak for the others but we do not as
it
isn't allowed through the firewall.


Wil Hatfield
HyperConX Customer Care

HyperConX International - <A HREF ="http://www.hyperconx.com">http://www.hyperconx.com</A>
1.800.894.3613 - Toll Free in the US and Canada

Check out the all new Miva Pages:
<A HREF ="http://www.hyperconx.com/miva/">http://www.hyperconx.com/miva/</A>

Premium e-commerce hosting, 24/7 technical support, toll free
support lines for your convenience, great low cost packages to
choose from, Authorize.Net Direct retailer, need high-speed
connectivity well we have that too. Everything a business
needs to succeed. Host with the Pros and sell like one too!




-----Original Message-----
From: MvMarkus [mailto:[email protected]]
Sent: Tuesday, May 03, 2005 1:09 PM
To: 'Wil Hatfield'; [email protected]
Subject: RE: [m5u] m5 old links


Dear Wil, David,

Thanks a lot for these answers, they're very helpful.

A last word to the bug reports: As you suggested, Wil, I certainly won't
hesitate to send a report to bugs@... if I ever detect one, but of
course
I'd like to know that they are taken into consideration, especially
since
with v5 there are new potential vulernabilities through SQL injection
hacks
that we have never faced before. Considering that most major problems in
PHP/ASP scripts originate right there (and lack of input sanitation,
which
then often allows for a SQL hack), I believe that an aggressive and
"open"
stance from Miva's side to address those issues is the only way
Miva/Merchant's database layer can remain as secure as we knew it for
years.


For that reason, the recent posting about "paying to report bugs"
troubled
me quite a bit. But again, I am really only talking about real bugs and
vulnerabilities; not templating/usability issues, and I agree with David
that there will be cases where it's not going to be clear how to
interpret a
reported problem.

So I still have my hopes up that the people in San Diego will not ignore
a
message that indicates some nasty SQL injection through a cookie... I
certainly don't want to find the public posting of an exploit of such
vulernability during my weekly readings of @RISK (SANS Institute).

markus






-----Original Message-----
From: [email protected]
[mailto:[email protected]] On Behalf Of Wil
Hatfield
Sent: Tuesday, May 03, 2005 3:23 PM
To: MvMarkus; [email protected]
Subject: RE: [m5u] m5 old links

Well David already did a great job answering. My additions follow:

3. Now that Miva has some money and more proactive staff they have been
being very good about keeping on top of the bugs. They even hired in
James
one of the best guys for the job who will be in charge of many things
and I
believe making sure those bugs get fixed is one of them even if through
deligation. Here is a good resource... [email protected].

4. In laymans terms, when you modify the "pages" aka "screen layout" in
MIVA
Merchant 5 Admin and click the Update button the "page" is compiled
directly
into the MM5 software. No compiler required unless you are building your
own
external applications or modules.

5. Special upgrade pricing will be available to existing customers. New
customers already get a new MM5 capable license key when they come to
us, so
everyone is covered.

Thanks for your perspective and questions. I am going to put together an
"Inside MIVA Merchant 5" page shortly and am glad to have the input so I
know what kind of questions are out there.


Wil Hatfield
HyperConX Customer Care

HyperConX International - <A HREF ="http://www.hyperconx.com">http://www.hyperconx.com</A>
1.800.894.3613 - Toll Free in the US and Canada

Check out the all new Miva Pages:
<A HREF ="http://www.hyperconx.com/miva/">http://www.hyperconx.com/miva/</A>

Premium e-commerce hosting, 24/7 technical support, toll free support
lines
for your convenience, great low cost packages to choose from,
Authorize.Net
Direct retailer, need high-speed connectivity well we have that too.
Everything a business needs to succeed. Host with the Pros and sell like
one
too!




-----Original Message-----
From: [email protected]
[mailto:[email protected]]On Behalf Of MvMarkus
Sent: Tuesday, May 03, 2005 11:28 AM
To: 'Wil Hatfield'; [email protected]
Subject: RE: [m5u] m5 old links


Hi Wil,

Thanks for the links. The questions that I referred to regard mainly
issues
that are only indirectly related to MM5:

(I'm just putting together some that I remember right out of the back of
my
mind, others will certainly have many others, and probably more MM or
module
specific questions. The purpose is not to start another public
discussion,
but simply to get some straight and simple answers from official side).

1.) Compiler: When will a new compiler be released (if at all)? Will
there
be any costs involved?

2.) MM5/MySQL licensing issues: Do we need to purchase our own
commercial
license of MySQL, do ISPs have to offer commercial license, or has Miva
Corp. an agreement with MySQL ABE in place that covers the end-users?

3.) A statement (confirmation) reg. bug reports only being accepted from
members of Miva's support plan, and in such case clear instructions how
to
submit critical bugs (like security issues) if one is not a member of
such a
support plan. Obviously, I'd like to see that Miva is still committed to
listen to those issues without requiring any upfront payments.

4.) Does the new template mechanism in MM5 require a compiler on the
server,
does Empresa handle the precompilation or are these interpreted scripts
that
don't require real compilation?

5.) Will there be an upgrade pricing for MM5 for existing users of MM4
and
earlier or will it only be sold as a completely new product?


Most MM5 related questions (changes, new features, availability of
payment
gateways) are probably covered by the docs and your webpages, or, since
the
official release date is only on May 16 ( which I just learned today
from
David), will be addressed at that occasion or by the module developers
themselves.

Thanks,

Markus






-----Original Message-----
From: [email protected]
[mailto:[email protected]] On Behalf Of Wil
Hatfield
Sent: Tuesday, May 03, 2005 1:27 PM
To: MvMarkus; [email protected]
Subject: RE: [m5u] m5 old links

What questions did you have that weren't covered in the docs?

<A HREF ="http://www.hyperconx.com/software/miva-merchant-5.phtml">http://www.hyperconx.com/software/miva-merchant-5.phtml</A>


Wil Hatfield
HyperConX Customer Care

HyperConX International - <A HREF ="http://www.hyperconx.com">http://www.hyperconx.com</A>
1.800.894.3613 - Toll Free in the US and Canada

Check out the all new Miva Pages:
<A HREF ="http://www.hyperconx.com/miva/">http://www.hyperconx.com/miva/</A>

Premium e-commerce hosting, 24/7 technical support, toll free support
lines
for your convenience, great low cost packages to choose from,
Authorize.Net
Direct retailer, need high-speed connectivity well we have that too.
Everything a business needs to succeed. Host with the Pros and sell like
one
too!




-----Original Message-----
From: [email protected]
[mailto:[email protected]]On Behalf Of MvMarkus
Sent: Tuesday, May 03, 2005 9:44 AM
To: 'David Hubbard'; [email protected]
Subject: RE: [m5u] m5 old links


I still have the hope that yesterday wasn't the official release...
Meaning:
I hope they'd at least make a public and official annoucement and answer
some of the questions that were asked here over the past weeks, to set
an
end to all the FUD and speculations.

Markus




-----Original Message-----
From: [email protected]
[mailto:[email protected]] On Behalf Of David
Hubbard
Sent: Tuesday, May 03, 2005 12:37 PM
To: [email protected]
Subject: RE: [m5u] m5 old links

It was just released yesterday, I would suspect they will eventually be
releasing many things like that which store owners consider mandatory.

David

> -----Original Message-----
> From: [email protected]
> [mailto:[email protected]] On Behalf Of John
> Fischer
> Sent: Tuesday, May 03, 2005 12:35 PM
> To: [email protected]
> Subject: RE: [m5u] m5 old links
>
> Well I can't migrate to Miva till a M5 SFL is released
>
> Anybody else in that boat?
>
> Is Miva going to ignore us on this issue?
>
>
>
>

m5 old links



From: [email protected]=20
> [mailto:[email protected]] On Behalf Of=20
> Wil Hatfield
> Sent: Tuesday, May 03, 2005 6:34 PM
> To: MvMarkus; [email protected]
> Subject: RE: [m5u] m5 old links
>=20
>=20
> Speculating.... any "Injection Hacks" as you state would only=20
> be related to the use of MySQL with Miva Merchant. I would
> have to do some reading but my hacker educated guess tells
> me that this would require an open MySQL port and other tools.

SQL injection attacks are not designed to compromise the mysql
server so open ports are unrelated, they're designed to
compromise the application or data. For example, writing a
carefully crafted category URL with added SQL passed in the
URL or posted with the intent of running a select (*) against
the orders database to get all the names and credit card
numbers; or to run an update and give oneself an admin=20
account in the store. Hopefully though Miva has done their
security homework while writing Empresa 5 and none of that
kind of stuff, which phpbb seems to be susceptible to on a
weekly basis for example, will be possible.

David

> Let me sum this up.... there should never be an open MySQL port to the
> outside world. Miva and other scripts should be required to connect to
> localhost for connectivity. Yes, most hosts have this port=20
> open and not
> blocked at the firewall. I can't speak for the others but we=20
> do not as it
> isn't allowed through the firewall.
>=20
>=20
> Wil Hatfield
> HyperConX Customer Care
>=20
> HyperConX International - <A HREF ="http://www.hyperconx.com">http://www.hyperconx.com</A>
> 1.800.894.3613 - Toll Free in the US and Canada
>=20
> Check out the all new Miva Pages:
> <A HREF ="http://www.hyperconx.com/miva/">http://www.hyperconx.com/miva/</A>
>=20
> Premium e-commerce hosting, 24/7 technical support, toll free
> support lines for your convenience, great low cost packages to
> choose from, Authorize.Net Direct retailer, need high-speed
> connectivity well we have that too. Everything a business
> needs to succeed. Host with the Pros and sell like one too!
>=20
>=20
>=20
>=20
> -----Original Message-----
> From: MvMarkus [mailto:[email protected]]
> Sent: Tuesday, May 03, 2005 1:09 PM
> To: 'Wil Hatfield'; [email protected]
> Subject: RE: [m5u] m5 old links
>=20
>=20
> Dear Wil, David,
>=20
> Thanks a lot for these answers, they're very helpful.
>=20
> A last word to the bug reports: As you suggested, Wil, I=20
> certainly won't
> hesitate to send a report to bugs@... if I ever detect one,=20
> but of course
> I'd like to know that they are taken into consideration,=20
> especially since
> with v5 there are new potential vulernabilities through SQL=20
> injection hacks
> that we have never faced before. Considering that most major=20
> problems in
> PHP/ASP scripts originate right there (and lack of input=20
> sanitation, which
> then often allows for a SQL hack), I believe that an=20
> aggressive and "open"
> stance from Miva's side to address those issues is the only way
> Miva/Merchant's database layer can remain as secure as we=20
> knew it for years.
>=20
>=20
> For that reason, the recent posting about "paying to report=20
> bugs" troubled
> me quite a bit. But again, I am really only talking about=20
> real bugs and
> vulnerabilities; not templating/usability issues, and I agree=20
> with David
> that there will be cases where it's not going to be clear how=20
> to interpret a
> reported problem.
>=20
> So I still have my hopes up that the people in San Diego will=20
> not ignore a
> message that indicates some nasty SQL injection through a cookie... I
> certainly don't want to find the public posting of an exploit of such
> vulernability during my weekly readings of @RISK (SANS Institute).
>=20
> markus
>=20
>=20
>=20
>=20
>=20
>=20
> -----Original Message-----
> From: [email protected]
> [mailto:[email protected]] On Behalf Of=20
> Wil Hatfield
> Sent: Tuesday, May 03, 2005 3:23 PM
> To: MvMarkus; [email protected]
> Subject: RE: [m5u] m5 old links
>=20
> Well David already did a great job answering. My additions follow:
>=20
> 3. Now that Miva has some money and more proactive staff they=20
> have been
> being very good about keeping on top of the bugs. They even=20
> hired in James
> one of the best guys for the job who will be in charge of=20
> many things and I
> believe making sure those bugs get fixed is one of them even=20
> if through
> deligation. Here is a good resource... [email protected].
>=20
> 4. In laymans terms, when you modify the "pages" aka "screen=20
> layout" in MIVA
> Merchant 5 Admin and click the Update button the "page" is=20
> compiled directly
> into the MM5 software. No compiler required unless you are=20
> building your own
> external applications or modules.
>=20
> 5. Special upgrade pricing will be available to existing=20
> customers. New
> customers already get a new MM5 capable license key when they=20
> come to us, so
> everyone is covered.
>=20
> Thanks for your perspective and questions. I am going to put=20
> together an
> "Inside MIVA Merchant 5" page shortly and am glad to have the=20
> input so I
> know what kind of questions are out there.
>=20
>=20
> Wil Hatfield
> HyperConX Customer Care
>=20
> HyperConX International - <A HREF ="http://www.hyperconx.com">http://www.hyperconx.com</A>
> 1.800.894.3613 - Toll Free in the US and Canada
>=20
> Check out the all new Miva Pages:
> <A HREF ="http://www.hyperconx.com/miva/">http://www.hyperconx.com/miva/</A>
>=20
> Premium e-commerce hosting, 24/7 technical support, toll free=20
> support lines
> for your convenience, great low cost packages to choose from,=20
> Authorize.Net
> Direct retailer, need high-speed connectivity well we have that too.
> Everything a business needs to succeed. Host with the Pros=20
> and sell like one
> too!
>=20
>=20
>=20
>=20
> -----Original Message-----
> From: [email protected]
> [mailto:[email protected]]On Behalf Of MvMarkus
> Sent: Tuesday, May 03, 2005 11:28 AM
> To: 'Wil Hatfield'; [email protected]
> Subject: RE: [m5u] m5 old links
>=20
>=20
> Hi Wil,
>=20
> Thanks for the links. The questions that I referred to regard=20
> mainly issues
> that are only indirectly related to MM5:
>=20
> (I'm just putting together some that I remember right out of=20
> the back of my
> mind, others will certainly have many others, and probably=20
> more MM or module
> specific questions. The purpose is not to start another=20
> public discussion,
> but simply to get some straight and simple answers from=20
> official side).
>=20
> 1.) Compiler: When will a new compiler be released (if at=20
> all)? Will there
> be any costs involved?
>=20
> 2.) MM5/MySQL licensing issues: Do we need to purchase our=20
> own commercial
> license of MySQL, do ISPs have to offer commercial license,=20
> or has Miva
> Corp. an agreement with MySQL ABE in place that covers the end-users?
>=20
> 3.) A statement (confirmation) reg. bug reports only being=20
> accepted from
> members of Miva's support plan, and in such case clear=20
> instructions how to
> submit critical bugs (like security issues) if one is not a=20
> member of such a
> support plan. Obviously, I'd like to see that Miva is still=20
> committed to
> listen to those issues without requiring any upfront payments.
>=20
> 4.) Does the new template mechanism in MM5 require a compiler=20
> on the server,
> does Empresa handle the precompilation or are these=20
> interpreted scripts that
> don't require real compilation?
>=20
> 5.) Will there be an upgrade pricing for MM5 for existing=20
> users of MM4 and
> earlier or will it only be sold as a completely new product?
>=20
>=20
> Most MM5 related questions (changes, new features,=20
> availability of payment
> gateways) are probably covered by the docs and your webpages,=20
> or, since the
> official release date is only on May 16 ( which I just=20
> learned today from
> David), will be addressed at that occasion or by the module developers
> themselves.
>=20
> Thanks,
>=20
> Markus
>=20
>=20
>=20
>=20
>=20
>=20
> -----Original Message-----
> From: [email protected]
> [mailto:[email protected]] On Behalf Of=20
> Wil Hatfield
> Sent: Tuesday, May 03, 2005 1:27 PM
> To: MvMarkus; [email protected]
> Subject: RE: [m5u] m5 old links
>=20
> What questions did you have that weren't covered in the docs?
>=20
> <A HREF ="http://www.hyperconx.com/software/miva-merchant-5.phtml">http://www.hyperconx.com/software/miva-merchant-5.phtml</A>
>=20
>=20
> Wil Hatfield
> HyperConX Customer Care
>=20
> HyperConX International - <A HREF ="http://www.hyperconx.com">http://www.hyperconx.com</A>
> 1.800.894.3613 - Toll Free in the US and Canada
>=20
> Check out the all new Miva Pages:
> <A HREF ="http://www.hyperconx.com/miva/">http://www.hyperconx.com/miva/</A>
>=20
> Premium e-commerce hosting, 24/7 technical support, toll free=20
> support lines
> for your convenience, great low cost packages to choose from,=20
> Authorize.Net
> Direct retailer, need high-speed connectivity well we have that too.
> Everything a business needs to succeed. Host with the Pros=20
> and sell like one
> too!
>=20
>=20
>=20
>=20
> -----Original Message-----
> From: [email protected]
> [mailto:[email protected]]On Behalf Of MvMarkus
> Sent: Tuesday, May 03, 2005 9:44 AM
> To: 'David Hubbard'; [email protected]
> Subject: RE: [m5u] m5 old links
>=20
>=20
> I still have the hope that yesterday wasn't the official=20
> release... Meaning:
> I hope they'd at least make a public and official annoucement=20
> and answer
> some of the questions that were asked here over the past=20
> weeks, to set an
> end to all the FUD and speculations.
>=20
> Markus
>=20
>=20
>=20
>=20
> -----Original Message-----
> From: [email protected]
> [mailto:[email protected]] On Behalf Of=20
> David Hubbard
> Sent: Tuesday, May 03, 2005 12:37 PM
> To: [email protected]
> Subject: RE: [m5u] m5 old links
>=20
> It was just released yesterday, I would suspect they will=20
> eventually be
> releasing many things like that which store owners consider mandatory.
>=20
> David
>=20
> > -----Original Message-----
> > From: [email protected]
> > [mailto:[email protected]] On Behalf Of John
> > Fischer
> > Sent: Tuesday, May 03, 2005 12:35 PM
> > To: [email protected]
> > Subject: RE: [m5u] m5 old links
> >
> > Well I can't migrate to Miva till a M5 SFL is released
> >
> > Anybody else in that boat?
> >
> > Is Miva going to ignore us on this issue?
> >
> >
> >
> >

m5 old links



Hi Wil,

SQL injection hacks are -as far as I understand- pretty simple hacks, but
they don't necessarily require any ports or telnet or whatever access. You
have for example a cookie with a username (or session id), and the attacker
then injects into the cookievalue an SQL string. So if the value should be
something like "abcdsc" he submits a page with the cookie value "DELETE
TABLE products ..." or "GRANT user ...." (give him admi rights) and similar.
The error in this case is that the SQL server queries the database, using
the string DELETE TABLE... instead of a regular value and may then actually
execute the string in a subquery, if for example the permissions are not
properly set.

This is of course just a simplistic example - which actually requires that
the permissions are not properly set AND that user input is not correctly
sanitized.... But you see how can easily it can lead to quite annoying
problems.

On the other hand, the "classic" Miva dbIII architecture doesn't allow for
such a problem simply because it doesn't let you execute commands through
the command line. MvFILTER has some potential (because it has some
interpreting functionality), and therefore probably needs a bit of care, but
at least in the case of older Merchant's authentication schemes I don't
recall that MvFILTER is actually used anywhere except the searches, and I am
not aware that anybody has ever successfully hacked his way into a dbIII
table through it.

Markus



-----Original Message-----
From: [email protected]
[mailto:[email protected]] On Behalf Of Wil Hatfield
Sent: Tuesday, May 03, 2005 6:34 PM
To: MvMarkus; [email protected]
Subject: RE: [m5u] m5 old links

Markus,

I haven't dug into the MivaSQL too much yet but since it uses the same old
native file locking routine that it used to use my guess is that it will be
as secure as it used to be. The SQL it uses is just another way of talking
to its databases (laymans).

Speculating.... any "Injection Hacks" as you state would only be related to
the use of MySQL with Miva Merchant. I would have to do some reading but my
hacker educated guess tells me that this would require an open MySQL port
and other tools.

Let me sum this up.... there should never be an open MySQL port to the
outside world. Miva and other scripts should be required to connect to
localhost for connectivity. Yes, most hosts have this port open and not
blocked at the firewall. I can't speak for the others but we do not as it
isn't allowed through the firewall.


Wil Hatfield
HyperConX Customer Care

HyperConX International - <A HREF ="http://www.hyperconx.com">http://www.hyperconx.com</A>
1.800.894.3613 - Toll Free in the US and Canada

Check out the all new Miva Pages:
<A HREF ="http://www.hyperconx.com/miva/">http://www.hyperconx.com/miva/</A>

Premium e-commerce hosting, 24/7 technical support, toll free support lines
for your convenience, great low cost packages to choose from, Authorize.Net
Direct retailer, need high-speed connectivity well we have that too.
Everything a business needs to succeed. Host with the Pros and sell like one
too!




-----Original Message-----
From: MvMarkus [mailto:[email protected]]
Sent: Tuesday, May 03, 2005 1:09 PM
To: 'Wil Hatfield'; [email protected]
Subject: RE: [m5u] m5 old links


Dear Wil, David,

Thanks a lot for these answers, they're very helpful.

A last word to the bug reports: As you suggested, Wil, I certainly won't
hesitate to send a report to bugs@... if I ever detect one, but of course
I'd like to know that they are taken into consideration, especially since
with v5 there are new potential vulernabilities through SQL injection hacks
that we have never faced before. Considering that most major problems in
PHP/ASP scripts originate right there (and lack of input sanitation, which
then often allows for a SQL hack), I believe that an aggressive and "open"
stance from Miva's side to address those issues is the only way
Miva/Merchant's database layer can remain as secure as we knew it for years.


For that reason, the recent posting about "paying to report bugs" troubled
me quite a bit. But again, I am really only talking about real bugs and
vulnerabilities; not templating/usability issues, and I agree with David
that there will be cases where it's not going to be clear how to interpret a
reported problem.

So I still have my hopes up that the people in San Diego will not ignore a
message that indicates some nasty SQL injection through a cookie... I
certainly don't want to find the public posting of an exploit of such
vulernability during my weekly readings of @RISK (SANS Institute).

markus






-----Original Message-----
From: [email protected]
[mailto:[email protected]] On Behalf Of Wil Hatfield
Sent: Tuesday, May 03, 2005 3:23 PM
To: MvMarkus; [email protected]
Subject: RE: [m5u] m5 old links

Well David already did a great job answering. My additions follow:

3. Now that Miva has some money and more proactive staff they have been
being very good about keeping on top of the bugs. They even hired in James
one of the best guys for the job who will be in charge of many things and I
believe making sure those bugs get fixed is one of them even if through
deligation. Here is a good resource... [email protected].

4. In laymans terms, when you modify the "pages" aka "screen layout" in MIVA
Merchant 5 Admin and click the Update button the "page" is compiled directly
into the MM5 software. No compiler required unless you are building your own
external applications or modules.

5. Special upgrade pricing will be available to existing customers. New
customers already get a new MM5 capable license key when they come to us, so
everyone is covered.

Thanks for your perspective and questions. I am going to put together an
"Inside MIVA Merchant 5" page shortly and am glad to have the input so I
know what kind of questions are out there.


Wil Hatfield
HyperConX Customer Care

HyperConX International - <A HREF ="http://www.hyperconx.com">http://www.hyperconx.com</A>
1.800.894.3613 - Toll Free in the US and Canada

Check out the all new Miva Pages:
<A HREF ="http://www.hyperconx.com/miva/">http://www.hyperconx.com/miva/</A>

Premium e-commerce hosting, 24/7 technical support, toll free support lines
for your convenience, great low cost packages to choose from, Authorize.Net
Direct retailer, need high-speed connectivity well we have that too.
Everything a business needs to succeed. Host with the Pros and sell like one
too!




-----Original Message-----
From: [email protected]
[mailto:[email protected]]On Behalf Of MvMarkus
Sent: Tuesday, May 03, 2005 11:28 AM
To: 'Wil Hatfield'; [email protected]
Subject: RE: [m5u] m5 old links


Hi Wil,

Thanks for the links. The questions that I referred to regard mainly issues
that are only indirectly related to MM5:

(I'm just putting together some that I remember right out of the back of my
mind, others will certainly have many others, and probably more MM or module
specific questions. The purpose is not to start another public discussion,
but simply to get some straight and simple answers from official side).

1.) Compiler: When will a new compiler be released (if at all)? Will there
be any costs involved?

2.) MM5/MySQL licensing issues: Do we need to purchase our own commercial
license of MySQL, do ISPs have to offer commercial license, or has Miva
Corp. an agreement with MySQL ABE in place that covers the end-users?

3.) A statement (confirmation) reg. bug reports only being accepted from
members of Miva's support plan, and in such case clear instructions how to
submit critical bugs (like security issues) if one is not a member of such a
support plan. Obviously, I'd like to see that Miva is still committed to
listen to those issues without requiring any upfront payments.

4.) Does the new template mechanism in MM5 require a compiler on the server,
does Empresa handle the precompilation or are these interpreted scripts that
don't require real compilation?

5.) Will there be an upgrade pricing for MM5 for existing users of MM4 and
earlier or will it only be sold as a completely new product?


Most MM5 related questions (changes, new features, availability of payment
gateways) are probably covered by the docs and your webpages, or, since the
official release date is only on May 16 ( which I just learned today from
David), will be addressed at that occasion or by the module developers
themselves.

Thanks,

Markus






-----Original Message-----
From: [email protected]
[mailto:[email protected]] On Behalf Of Wil Hatfield
Sent: Tuesday, May 03, 2005 1:27 PM
To: MvMarkus; [email protected]
Subject: RE: [m5u] m5 old links

What questions did you have that weren't covered in the docs?

<A HREF ="http://www.hyperconx.com/software/miva-merchant-5.phtml">http://www.hyperconx.com/software/miva-merchant-5.phtml</A>


Wil Hatfield
HyperConX Customer Care

HyperConX International - <A HREF ="http://www.hyperconx.com">http://www.hyperconx.com</A>
1.800.894.3613 - Toll Free in the US and Canada

Check out the all new Miva Pages:
<A HREF ="http://www.hyperconx.com/miva/">http://www.hyperconx.com/miva/</A>

Premium e-commerce hosting, 24/7 technical support, toll free support lines
for your convenience, great low cost packages to choose from, Authorize.Net
Direct retailer, need high-speed connectivity well we have that too.
Everything a business needs to succeed. Host with the Pros and sell like one
too!




-----Original Message-----
From: [email protected]
[mailto:[email protected]]On Behalf Of MvMarkus
Sent: Tuesday, May 03, 2005 9:44 AM
To: 'David Hubbard'; [email protected]
Subject: RE: [m5u] m5 old links


I still have the hope that yesterday wasn't the official release... Meaning:
I hope they'd at least make a public and official annoucement and answer
some of the questions that were asked here over the past weeks, to set an
end to all the FUD and speculations.

Markus




-----Original Message-----
From: [email protected]
[mailto:[email protected]] On Behalf Of David Hubbard
Sent: Tuesday, May 03, 2005 12:37 PM
To: [email protected]
Subject: RE: [m5u] m5 old links

It was just released yesterday, I would suspect they will eventually be
releasing many things like that which store owners consider mandatory.

David

> -----Original Message-----
> From: [email protected]
> [mailto:[email protected]] On Behalf Of John
> Fischer
> Sent: Tuesday, May 03, 2005 12:35 PM
> To: [email protected]
> Subject: RE: [m5u] m5 old links
>
> Well I can't migrate to Miva till a M5 SFL is released
>
> Anybody else in that boat?
>
> Is Miva going to ignore us on this issue?
>
>
>
>

m5 old links



Just to illustrate how often these SQL injection holes occur, look at the
list of Web app vulnerabilities published by SANS's @RISK newsletter of this
week:

Part II -- Comprehensive List of Newly Discovered Vulnerabilities from
Qualys (www.qualys.com)

-- Web Application
05.17.37 - Ocean12 Calendar Manager Admin Form SQL Injection
05.17.38 - PHPBB-Auction Module SQL Injection
05.17.39 - PHP Labs proFile Dir URI Variable Cross-Site Scripting
05.17.40 - DUportal Pro Multiple SQL Injection Vulnerabilities
05.17.41 - Coppermine Photo Gallery Favs SQL Injection
05.17.42 - PHProjekt Chatroom Text Submission HTML Injection
05.17.43 - DUportal Multiple SQL Injection Vulnerabilities
05.17.44 - Coppermine Photo Gallery ZipDownload.PHP SQL Injection
05.17.45 - AZ Bulletin Board Remote File Include Vulnerability
05.17.46 - AZ Bulletin Board Remote Directory Traversal
05.17.47 - AZ Bulletin Board Directory Traversal
05.17.48 - FlexPHPNews News.PHP SQL Injection
05.17.49 - PayProCart Username Cross-Site Scripting
05.17.50 - ProfitCode PayProCart ChckOutAction Cross-Site Scripting
05.17.51 - PayProCart Ckprvd Cross-Site Scripting
05.17.52 - PayProCart PageID Cross-Site Scripting
05.17.53 - PayProCart AdminShop HDoc Cross-Site Scripting
05.17.54 - ASPNuke Comments.ASP SQL Injection
05.17.55 - ASPNuke Detail.ASP SQL Injection
05.17.56 - PixySoft E-Cart Remote Command Execution Vulnerability
05.17.57 - ProfitCode Software PayProCart AdminShop ModID Cross-Site
Scripting
05.17.58 - ProfitCode PayProCart Cross-Site Scripting
05.17.59 - ProfitCode PayProCart AdminShop ProMod Cross-Site Scripting
05.17.60 - ProfitCode PayProCart Cross-Site Scripting
05.17.61 - MediaWiki Unspecified HTML Tidy Cross-Site Scripting
05.17.62 - OneWorldStore chksettings.asp Denial of Service
05.17.63 - ASPNuke Profile.ASP Cross-Site Scripting
05.17.64 - WoltLab Burning Board Thread.PHP Cross-Site Scripting
05.17.65 - Black Knight Forum Member.ASP SQL Injection
05.17.66 - Black Knight Forum Forum.ASP SQL Injection
05.17.67 - Black Knight Forum Register.ASP SQL Injection
05.17.68 - CartWIZ ProductCatalogSubCats.ASP SQL Injection
05.17.69 - CartWIZ SearchResults.ASP Cross-Site Scripting
05.17.70 - phpBB Profile.PHP Cross-Site Scripting
05.17.71 - phpBB Viewtopic.PHP Cross Site Scripting
05.17.72 - ACS Blog Administrative Access Authentication Bypass
05.17.73 - SWSoft Confixx Change User SQL Injection
05.17.74 - PHPMyVisites Cross-Site Scripting
05.17.75 - PHPMyVisites Index.PHP Cross Site Scripting
05.17.76 - PHPMyVisites Site Variable Cross-Site Scripting
05.17.77 - CartWIZ SearchResults.ASP PriceTo Argument SQL Injection
05.17.78 - CartWIZ SearchResults.ASP PriceFrom SQL Injection
05.17.79 - CartWIZ SearchResults.ASP IDCategory Argument SQL Injection
05.17.80 - CartWIZ Multiple SQL Injection and Cross-Site Scripting
Vulnerabilities
05.17.81 - CartWIZ Access.ASP Cross-Site Scripting
05.17.82 - CartWIZ Login.ASP Redirect Argument Cross-Site Scripting
05.17.83 - CartWIZ Searchresults.ASP SKU Argument Cross-Site Scripting
05.17.84 - Horde Nag Remote Cross-Site Scripting
05.17.85 - Horde Chora Remote Cross-Site Scripting
05.17.86 - Horde Accounts Module Remote Cross-Site Scripting
05.17.87 - OneWorldStore IDOrder Information Disclosure
05.17.88 - MetaCart2 IntCatalogID Parameter Remote SQL Injection
05.17.89 - MetaCart2 StrSubCatalogID Parameter SQL Injection
05.17.90 - MetaCart2 CurCatalogID Parameter Remote SQL Injection
05.17.91 - MetaCart2 strSubCatalog_NAME Parameter Remote SQL Injection
05.17.92 - MetaCart E-Shop V-8 Remote SQL Injection
05.17.93 - Invision Power Board QPid Parameter SQL Injection
05.17.94 - SqWebmail HTTP Response Splitting
05.17.95 - WoltLab Burning Board PMS.PHP Cross-Site Scripting
05.17.96 - MetaCart e-Shop Remote SQL Injection
05.17.97 - StorePortal Default.ASP Multiple SQL Injection Vulnerabilities
05.17.98 - Horde Vacation Remote Cross-Site Scripting
05.17.99 - Horde MNemo Remote Cross-Site Scripting
05.17.100 - phpMyVisites Set_Lang File Include
05.17.101 - yappa-ng Unspecified Remote File Include
05.17.102 - yappa-ng Cross-Site Scripting
05.17.103 - GrayCMS Error.PHP Remote File Include
05.17.104 - MetaCart2 Searchaction.ASP Multiple SQL Injection
Vulnerabilities
05.17.105 - bBlog Index.PHP HTML Injection Vulnerability
05.17.106 - MetaBid Auctions intAuctionID Parameter SQL Injection
05.17.107 - bBlog PostID Parameter SQL Injection
05.17.108 - BEA WebLogic Server and WebLogic Express Cross-Site Scripting
05.17.109 - ABCZone.IT WWWGuestBook SQL Injection
05.17.110 - PHP-Calendar Search.PHP SQL Injection
__________________________________________________ _______




Markus















-----Original Message-----
From: Wil Hatfield [mailto:[email protected]]
Sent: Tuesday, May 03, 2005 6:34 PM
To: MvMarkus; [email protected]
Subject: RE: [m5u] m5 old links

Markus,

I haven't dug into the MivaSQL too much yet but since it uses the same old
native file locking routine that it used to use my guess is that it will be
as secure as it used to be. The SQL it uses is just another way of talking
to its databases (laymans).

Speculating.... any "Injection Hacks" as you state would only be related to
the use of MySQL with Miva Merchant. I would have to do some reading but my
hacker educated guess tells me that this would require an open MySQL port
and other tools.

Let me sum this up.... there should never be an open MySQL port to the
outside world. Miva and other scripts should be required to connect to
localhost for connectivity. Yes, most hosts have this port open and not
blocked at the firewall. I can't speak for the others but we do not as it
isn't allowed through the firewall.


Wil Hatfield
HyperConX Customer Care

HyperConX International - <A HREF ="http://www.hyperconx.com">http://www.hyperconx.com</A>
1.800.894.3613 - Toll Free in the US and Canada

Check out the all new Miva Pages:
<A HREF ="http://www.hyperconx.com/miva/">http://www.hyperconx.com/miva/</A>

Premium e-commerce hosting, 24/7 technical support, toll free support lines
for your convenience, great low cost packages to choose from, Authorize.Net
Direct retailer, need high-speed connectivity well we have that too.
Everything a business needs to succeed. Host with the Pros and sell like one
too!




-----Original Message-----
From: MvMarkus [mailto:[email protected]]
Sent: Tuesday, May 03, 2005 1:09 PM
To: 'Wil Hatfield'; [email protected]
Subject: RE: [m5u] m5 old links


Dear Wil, David,

Thanks a lot for these answers, they're very helpful.

A last word to the bug reports: As you suggested, Wil, I certainly won't
hesitate to send a report to bugs@... if I ever detect one, but of course
I'd like to know that they are taken into consideration, especially since
with v5 there are new potential vulernabilities through SQL injection hacks
that we have never faced before. Considering that most major problems in
PHP/ASP scripts originate right there (and lack of input sanitation, which
then often allows for a SQL hack), I believe that an aggressive and "open"
stance from Miva's side to address those issues is the only way
Miva/Merchant's database layer can remain as secure as we knew it for years.


For that reason, the recent posting about "paying to report bugs" troubled
me quite a bit. But again, I am really only talking about real bugs and
vulnerabilities; not templating/usability issues, and I agree with David
that there will be cases where it's not going to be clear how to interpret a
reported problem.

So I still have my hopes up that the people in San Diego will not ignore a
message that indicates some nasty SQL injection through a cookie... I
certainly don't want to find the public posting of an exploit of such
vulernability during my weekly readings of @RISK (SANS Institute).

markus






-----Original Message-----
From: [email protected]
[mailto:[email protected]] On Behalf Of Wil Hatfield
Sent: Tuesday, May 03, 2005 3:23 PM
To: MvMarkus; [email protected]
Subject: RE: [m5u] m5 old links

Well David already did a great job answering. My additions follow:

3. Now that Miva has some money and more proactive staff they have been
being very good about keeping on top of the bugs. They even hired in James
one of the best guys for the job who will be in charge of many things and I
believe making sure those bugs get fixed is one of them even if through
deligation. Here is a good resource... [email protected].

4. In laymans terms, when you modify the "pages" aka "screen layout" in MIVA
Merchant 5 Admin and click the Update button the "page" is compiled directly
into the MM5 software. No compiler required unless you are building your own
external applications or modules.

5. Special upgrade pricing will be available to existing customers. New
customers already get a new MM5 capable license key when they come to us, so
everyone is covered.

Thanks for your perspective and questions. I am going to put together an
"Inside MIVA Merchant 5" page shortly and am glad to have the input so I
know what kind of questions are out there.


Wil Hatfield
HyperConX Customer Care

HyperConX International - <A HREF ="http://www.hyperconx.com">http://www.hyperconx.com</A>
1.800.894.3613 - Toll Free in the US and Canada

Check out the all new Miva Pages:
<A HREF ="http://www.hyperconx.com/miva/">http://www.hyperconx.com/miva/</A>

Premium e-commerce hosting, 24/7 technical support, toll free support lines
for your convenience, great low cost packages to choose from, Authorize.Net
Direct retailer, need high-speed connectivity well we have that too.
Everything a business needs to succeed. Host with the Pros and sell like one
too!




-----Original Message-----
From: [email protected]
[mailto:[email protected]]On Behalf Of MvMarkus
Sent: Tuesday, May 03, 2005 11:28 AM
To: 'Wil Hatfield'; [email protected]
Subject: RE: [m5u] m5 old links


Hi Wil,

Thanks for the links. The questions that I referred to regard mainly issues
that are only indirectly related to MM5:

(I'm just putting together some that I remember right out of the back of my
mind, others will certainly have many others, and probably more MM or module
specific questions. The purpose is not to start another public discussion,
but simply to get some straight and simple answers from official side).

1.) Compiler: When will a new compiler be released (if at all)? Will there
be any costs involved?

2.) MM5/MySQL licensing issues: Do we need to purchase our own commercial
license of MySQL, do ISPs have to offer commercial license, or has Miva
Corp. an agreement with MySQL ABE in place that covers the end-users?

3.) A statement (confirmation) reg. bug reports only being accepted from
members of Miva's support plan, and in such case clear instructions how to
submit critical bugs (like security issues) if one is not a member of such a
support plan. Obviously, I'd like to see that Miva is still committed to
listen to those issues without requiring any upfront payments.

4.) Does the new template mechanism in MM5 require a compiler on the server,
does Empresa handle the precompilation or are these interpreted scripts that
don't require real compilation?

5.) Will there be an upgrade pricing for MM5 for existing users of MM4 and
earlier or will it only be sold as a completely new product?


Most MM5 related questions (changes, new features, availability of payment
gateways) are probably covered by the docs and your webpages, or, since the
official release date is only on May 16 ( which I just learned today from
David), will be addressed at that occasion or by the module developers
themselves.

Thanks,

Markus






-----Original Message-----
From: [email protected]
[mailto:[email protected]] On Behalf Of Wil Hatfield
Sent: Tuesday, May 03, 2005 1:27 PM
To: MvMarkus; [email protected]
Subject: RE: [m5u] m5 old links

What questions did you have that weren't covered in the docs?

<A HREF ="http://www.hyperconx.com/software/miva-merchant-5.phtml">http://www.hyperconx.com/software/miva-merchant-5.phtml</A>


Wil Hatfield
HyperConX Customer Care

HyperConX International - <A HREF ="http://www.hyperconx.com">http://www.hyperconx.com</A>
1.800.894.3613 - Toll Free in the US and Canada

Check out the all new Miva Pages:
<A HREF ="http://www.hyperconx.com/miva/">http://www.hyperconx.com/miva/</A>

Premium e-commerce hosting, 24/7 technical support, toll free support lines
for your convenience, great low cost packages to choose from, Authorize.Net
Direct retailer, need high-speed connectivity well we have that too.
Everything a business needs to succeed. Host with the Pros and sell like one
too!




-----Original Message-----
From: [email protected]
[mailto:[email protected]]On Behalf Of MvMarkus
Sent: Tuesday, May 03, 2005 9:44 AM
To: 'David Hubbard'; [email protected]
Subject: RE: [m5u] m5 old links


I still have the hope that yesterday wasn't the official release... Meaning:
I hope they'd at least make a public and official annoucement and answer
some of the questions that were asked here over the past weeks, to set an
end to all the FUD and speculations.

Markus




-----Original Message-----
From: [email protected]
[mailto:[email protected]] On Behalf Of David Hubbard
Sent: Tuesday, May 03, 2005 12:37 PM
To: [email protected]
Subject: RE: [m5u] m5 old links

It was just released yesterday, I would suspect they will eventually be
releasing many things like that which store owners consider mandatory.

David

> -----Original Message-----
> From: [email protected]
> [mailto:[email protected]] On Behalf Of John
> Fischer
> Sent: Tuesday, May 03, 2005 12:35 PM
> To: [email protected]
> Subject: RE: [m5u] m5 old links
>
> Well I can't migrate to Miva till a M5 SFL is released
>
> Anybody else in that boat?
>
> Is Miva going to ignore us on this issue?
>
>
>
>

m5 old links



As stated "I would have to do some reading" and now I have. Thanks for the
link Jen.

I SERIOUSLY doubt that those vulnerabilities would be present in a Merchant
release. Frankly the vulnerabilites are caused by some really stupid coding
mistakes. Seems to lean more towards ASP and that is probably why the author
there on the page really uses ASP as his examples. Perl and PHP aren't going
to accept misguided variable inputs so easily and I very much doubt that C++
will either. Maybe one day I can add C++ to my list. Now on the MivaScript
side it could but with all the new "validation" taking place in VM & MM5 I
am pretty comfortable with it.

Good information though. I will continue to strip() chop() chomp() my way to
clean inputs.


Wil Hatfield
HyperConX Customer Care

HyperConX International - <A HREF ="http://www.hyperconx.com">http://www.hyperconx.com</A>
1.800.894.3613 - Toll Free in the US and Canada

Check out the all new Miva Pages:
<A HREF ="http://www.hyperconx.com/miva/">http://www.hyperconx.com/miva/</A>

Premium e-commerce hosting, 24/7 technical support, toll free
support lines for your convenience, great low cost packages to
choose from, Authorize.Net Direct retailer, need high-speed
connectivity well we have that too. Everything a business
needs to succeed. Host with the Pros and sell like one too!




-----Original Message-----
From: [email protected]
[mailto:[email protected]]On Behalf Of Jen Ferraz
Sent: Tuesday, May 03, 2005 3:53 PM
To: [email protected]
Subject: RE: [m5u] m5 old links


Injection attacks occur when scripts don't
validate input correctly and allow a malformed user
MySQL statement to be passed to the database.
This was a recent problem with phpBB. The
only port it requires to be open is 80.

Here's an article you can read the explains it
<A HREF ="http://www.devarticles.com/c/a/MySQL/SQL-Injection-Attacks-Are-You-Safe/">http://www.devarticles.com/c/a/MySQL/SQL-Injection-Attacks-Are-You-Safe/</A>



Jen
Hostasaurus.Com
Miva Premier Hosting Partner
813.971.8772
[email protected]


-----Original Message-----
From: [email protected]
[mailto:[email protected]] On Behalf Of Wil
Hatfield
Sent: Tuesday, May 03, 2005 6:34 PM
To: MvMarkus; [email protected]
Subject: RE: [m5u] m5 old links


Markus,

I haven't dug into the MivaSQL too much yet but since it uses the same
old
native file locking routine that it used to use my guess is that it will
be
as secure as it used to be. The SQL it uses is just another way of
talking
to its databases (laymans).

Speculating.... any "Injection Hacks" as you state would only be related
to
the use of MySQL with Miva Merchant. I would have to do some reading but
my
hacker educated guess tells me that this would require an open MySQL
port
and other tools.

Let me sum this up.... there should never be an open MySQL port to the
outside world. Miva and other scripts should be required to connect to
localhost for connectivity. Yes, most hosts have this port open and not
blocked at the firewall. I can't speak for the others but we do not as
it
isn't allowed through the firewall.


Wil Hatfield
HyperConX Customer Care

HyperConX International - <A HREF ="http://www.hyperconx.com">http://www.hyperconx.com</A>
1.800.894.3613 - Toll Free in the US and Canada

Check out the all new Miva Pages:
<A HREF ="http://www.hyperconx.com/miva/">http://www.hyperconx.com/miva/</A>

Premium e-commerce hosting, 24/7 technical support, toll free
support lines for your convenience, great low cost packages to
choose from, Authorize.Net Direct retailer, need high-speed
connectivity well we have that too. Everything a business
needs to succeed. Host with the Pros and sell like one too!




-----Original Message-----
From: MvMarkus [mailto:[email protected]]
Sent: Tuesday, May 03, 2005 1:09 PM
To: 'Wil Hatfield'; [email protected]
Subject: RE: [m5u] m5 old links


Dear Wil, David,

Thanks a lot for these answers, they're very helpful.

A last word to the bug reports: As you suggested, Wil, I certainly won't
hesitate to send a report to bugs@... if I ever detect one, but of
course
I'd like to know that they are taken into consideration, especially
since
with v5 there are new potential vulernabilities through SQL injection
hacks
that we have never faced before. Considering that most major problems in
PHP/ASP scripts originate right there (and lack of input sanitation,
which
then often allows for a SQL hack), I believe that an aggressive and
"open"
stance from Miva's side to address those issues is the only way
Miva/Merchant's database layer can remain as secure as we knew it for
years.


For that reason, the recent posting about "paying to report bugs"
troubled
me quite a bit. But again, I am really only talking about real bugs and
vulnerabilities; not templating/usability issues, and I agree with David
that there will be cases where it's not going to be clear how to
interpret a
reported problem.

So I still have my hopes up that the people in San Diego will not ignore
a
message that indicates some nasty SQL injection through a cookie... I
certainly don't want to find the public posting of an exploit of such
vulernability during my weekly readings of @RISK (SANS Institute).

markus






-----Original Message-----
From: [email protected]
[mailto:[email protected]] On Behalf Of Wil
Hatfield
Sent: Tuesday, May 03, 2005 3:23 PM
To: MvMarkus; [email protected]
Subject: RE: [m5u] m5 old links

Well David already did a great job answering. My additions follow:

3. Now that Miva has some money and more proactive staff they have been
being very good about keeping on top of the bugs. They even hired in
James
one of the best guys for the job who will be in charge of many things
and I
believe making sure those bugs get fixed is one of them even if through
deligation. Here is a good resource... [email protected].

4. In laymans terms, when you modify the "pages" aka "screen layout" in
MIVA
Merchant 5 Admin and click the Update button the "page" is compiled
directly
into the MM5 software. No compiler required unless you are building your
own
external applications or modules.

5. Special upgrade pricing will be available to existing customers. New
customers already get a new MM5 capable license key when they come to
us, so
everyone is covered.

Thanks for your perspective and questions. I am going to put together an
"Inside MIVA Merchant 5" page shortly and am glad to have the input so I
know what kind of questions are out there.


Wil Hatfield
HyperConX Customer Care

HyperConX International - <A HREF ="http://www.hyperconx.com">http://www.hyperconx.com</A>
1.800.894.3613 - Toll Free in the US and Canada

Check out the all new Miva Pages:
<A HREF ="http://www.hyperconx.com/miva/">http://www.hyperconx.com/miva/</A>

Premium e-commerce hosting, 24/7 technical support, toll free support
lines
for your convenience, great low cost packages to choose from,
Authorize.Net
Direct retailer, need high-speed connectivity well we have that too.
Everything a business needs to succeed. Host with the Pros and sell like
one
too!




-----Original Message-----
From: [email protected]
[mailto:[email protected]]On Behalf Of MvMarkus
Sent: Tuesday, May 03, 2005 11:28 AM
To: 'Wil Hatfield'; [email protected]
Subject: RE: [m5u] m5 old links


Hi Wil,

Thanks for the links. The questions that I referred to regard mainly
issues
that are only indirectly related to MM5:

(I'm just putting together some that I remember right out of the back of
my
mind, others will certainly have many others, and probably more MM or
module
specific questions. The purpose is not to start another public
discussion,
but simply to get some straight and simple answers from official side).

1.) Compiler: When will a new compiler be released (if at all)? Will
there
be any costs involved?

2.) MM5/MySQL licensing issues: Do we need to purchase our own
commercial
license of MySQL, do ISPs have to offer commercial license, or has Miva
Corp. an agreement with MySQL ABE in place that covers the end-users?

3.) A statement (confirmation) reg. bug reports only being accepted from
members of Miva's support plan, and in such case clear instructions how
to
submit critical bugs (like security issues) if one is not a member of
such a
support plan. Obviously, I'd like to see that Miva is still committed to
listen to those issues without requiring any upfront payments.

4.) Does the new template mechanism in MM5 require a compiler on the
server,
does Empresa handle the precompilation or are these interpreted scripts
that
don't require real compilation?

5.) Will there be an upgrade pricing for MM5 for existing users of MM4
and
earlier or will it only be sold as a completely new product?


Most MM5 related questions (changes, new features, availability of
payment
gateways) are probably covered by the docs and your webpages, or, since
the
official release date is only on May 16 ( which I just learned today
from
David), will be addressed at that occasion or by the module developers
themselves.

Thanks,

Markus






-----Original Message-----
From: [email protected]
[mailto:[email protected]] On Behalf Of Wil
Hatfield
Sent: Tuesday, May 03, 2005 1:27 PM
To: MvMarkus; [email protected]
Subject: RE: [m5u] m5 old links

What questions did you have that weren't covered in the docs?

<A HREF ="http://www.hyperconx.com/software/miva-merchant-5.phtml">http://www.hyperconx.com/software/miva-merchant-5.phtml</A>


Wil Hatfield
HyperConX Customer Care

HyperConX International - <A HREF ="http://www.hyperconx.com">http://www.hyperconx.com</A>
1.800.894.3613 - Toll Free in the US and Canada

Check out the all new Miva Pages:
<A HREF ="http://www.hyperconx.com/miva/">http://www.hyperconx.com/miva/</A>

Premium e-commerce hosting, 24/7 technical support, toll free support
lines
for your convenience, great low cost packages to choose from,
Authorize.Net
Direct retailer, need high-speed connectivity well we have that too.
Everything a business needs to succeed. Host with the Pros and sell like
one
too!




-----Original Message-----
From: [email protected]
[mailto:[email protected]]On Behalf Of MvMarkus
Sent: Tuesday, May 03, 2005 9:44 AM
To: 'David Hubbard'; [email protected]
Subject: RE: [m5u] m5 old links


I still have the hope that yesterday wasn't the official release...
Meaning:
I hope they'd at least make a public and official annoucement and answer
some of the questions that were asked here over the past weeks, to set
an
end to all the FUD and speculations.

Markus




-----Original Message-----
From: [email protected]
[mailto:[email protected]] On Behalf Of David
Hubbard
Sent: Tuesday, May 03, 2005 12:37 PM
To: [email protected]
Subject: RE: [m5u] m5 old links

It was just released yesterday, I would suspect they will eventually be
releasing many things like that which store owners consider mandatory.

David

> -----Original Message-----
> From: [email protected]
> [mailto:[email protected]] On Behalf Of John
> Fischer
> Sent: Tuesday, May 03, 2005 12:35 PM
> To: [email protected]
> Subject: RE: [m5u] m5 old links
>
> Well I can't migrate to Miva till a M5 SFL is released
>
> Anybody else in that boat?
>
> Is Miva going to ignore us on this issue?
>
>
>
>

m5 old links



From: [email protected]=20
>=20
> As stated "I would have to do some reading" and now I have.=20
> Thanks for the link Jen.
>=20
> I SERIOUSLY doubt that those vulnerabilities would be present=20
> in a Merchant release. Frankly the vulnerabilites are caused
> by some really stupid coding mistakes. Seems to lean more

A lot of the applications that have been vulnerable to this
type of attack have been written by programmers whose
backgrounds also should not have allowed such code to
be left unchecked. Take phpbb for example, it's been
vulnerable to attacks similar to previous ones in three of
the last five releases, and they have five programmers working
on it.

> towards ASP and that is probably why the author there on the
> page really uses ASP as his examples.

I think PHP is the most commonly exploited language for
this attack due in part to its once-default setup of
allowing "register globals" which made it incredibly
easy to pass in new data to override already set variables.
It also tends to be present and used for poorly coded
applications on millions of web servers.

> Perl and PHP aren't going to accept misguided variable inputs
> so easily and I very much doubt that C++ will either. Maybe

The language doesn't know what makes input valid or not. Any
language will accept any input, it's the programmer who has
to check that the input given is valid and decide what to do
with it. A single line php program that just uses the include()
function can be turned into a remotely controlled attack
participant by sending it perfectly valid input. A C++
variable is no more likely to check an SQL query for sanity
than any other language, we just have to have confidence
that Miva has done so.

> one day I can add C++ to my list. Now on the MivaScript side
> it could but with all the new "validation" taking place in
> VM & MM5 I am pretty comfortable with it.
>=20
> Good information though. I will continue to strip() chop()=20
> chomp() my way to clean inputs.

Removing whitespace from the end of a string is not sanitizing
your inputs. That's not going to catch someone nesting
a "select (*) from s01_Orders" into a variable they've discovered
in Merchant that has been left unprotected.

David

m5 old links



David Hubbard wrote:
> Removing whitespace from the end of a string is not sanitizing
> your inputs. That's not going to catch someone nesting
> a "select (*) from s01_Orders" into a variable they've discovered
> in Merchant that has been left unprotected.

Let's say we have a text attribute on a product. Are you saying that
the customer could enter some variation of select (*) from s01_Orders
into the text input and add the product to the basket and it would run
that query?

--
Bill Weiland A2Z Emporium Plus <A HREF ="http://www.emporiumplus.com/store.mvc ">http://www.emporiumplus.com/store.mvc </A>
Modules for eCommerce. Mail Mgr, Coupon, PayPal, Froogle/Yahoo feeds
Rate This, Gift/Wish List, Wait List Mgr, EZ Batch, Shipping & more
Online Documentation <A HREF ="http://www.emporiumplus.com/docs">http://www.emporiumplus.com/docs</A>
Question <A HREF ="http://www.emporiumplus.com/mivamodule_wcw.mvc?Screen=SPTS ">http://www.emporiumplus.com/mivamodu...vc?Screen=SPTS </A>
|

m5 old links



From: [email protected]=20
>=20
> David Hubbard wrote:
> > Removing whitespace from the end of a string is not sanitizing
> > your inputs. That's not going to catch someone nesting
> > a "select (*) from s01_Orders" into a variable they've discovered
> > in Merchant that has been left unprotected.
>=20
> Let's say we have a text attribute on a product. Are you saying that
> the customer could enter some variation of select (*) from s01_Orders
> into the text input and add the product to the basket and it would run
> that query? =20
>=20

Very unlikely in that case, since the text being input from a
text input box would be considered inherently insecure; that
type of text is probably handled carefully, escaped and inserted
into the database for storage. SQL injection attacks typically
find ways to override known variables with new queries, or alter
existing queries. An example would be my guessing that internal
to Merchant or a module, a variable named "query" were being used.
This is common for programmers to do in languages where they're
working with SQL, storing their query somewhere while they build
it before executing it, so my guess of "query" might be right in
a lot of cases. Well, if there's some unchecked input somewhere,
maybe I can set query equal to "select (*) from s01_Orders"
by passing it in where the module doesn't expect it, and then it
ends up running that query for me and displaying the results
instead of what it intended on doing.

In prior versions of Merchant you could pass in POST variables
and have Merchant pre-fill form fields for you. For example,
I can hit a product page with a text attribute via POST and send
it <input name=3D"AttributeValue[1]" value=3D"select (*) from =
s01_Orders">.
Merchant will fill that box in for me when it renders the page
because I effectively set a variable internal to it while the
script was running. I could change AttributeValue[1] to maybe
g.query or some other Merchant-style variable; I don't know=20
MivaScript so I'm just theorizing, but maybe by doing something
like that I'll cause a variable set internal to the script to
be overridden by what I want it to be, and that's where the
danger potentially lies.

David

m5 old links



David Hubbard wrote:
> I don't know
> MivaScript so I'm just theorizing, but maybe by doing something
> like that I'll cause a variable set internal to the script to
> be overridden by what I want it to be, and that's where the
> danger potentially lies.

But accessing the data in Merchant is done with more than select (*)
from s01_Products

For example:
<MvOPENVIEW NAME = "Merchant"
VIEW = "Products"
QUERY = "{'SELECT * FROM ' $ g.Store_Table_Prefix $ 'Products WHERE id
= ?' }"
FIELDS = "l.product:id">

Isn't Merchant creating a specific way of getting to the data such that
you would need to use the "Mv" commands. Or does somehow having select
(*) from s01_Products floating around allow you to connect outside of
Merchant?

Inquiring minds want to know. So do the hackers.

--
Bill Weiland A2Z Emporium Plus <A HREF ="http://www.emporiumplus.com/store.mvc ">http://www.emporiumplus.com/store.mvc </A>
Modules for eCommerce. Mail Mgr, Coupon, PayPal, Froogle/Yahoo feeds
Rate This, Gift/Wish List, Wait List Mgr, EZ Batch, Shipping & more
Online Documentation <A HREF ="http://www.emporiumplus.com/docs">http://www.emporiumplus.com/docs</A>
Question <A HREF ="http://www.emporiumplus.com/mivamodule_wcw.mvc?Screen=SPTS ">http://www.emporiumplus.com/mivamodu...vc?Screen=SPTS </A>
|

m5 old links



It depends what you do with the user input. If any user input is used
unchecked to dynamically build queries, then it can certainly happen. There
are also diverse other situations, where user input, or other manipulable
data (cookies, http headers, cgi/form/url variables,...) can be used for
injection.

This risk of code injection always existed in Miva Script, but took
different forms with different versions of the engine and of Merchant. For
example any server having still files of (even an inactive) Merchant version
prior ~2.21, can be compromised easily and data and script files of the
entire account can be accessed.

The most evident holes were plugged later, but Merchant became safer with
v4, and then especially with the compiled 4.14. Well, I speak about stock
Merchant - unfortunately it cannot be told about all 3rd party modules.
Unfortunately, I saw many 3rd party modules that open the entire system to
easy exploits.

While the compiled v4 Miva Script reduced the risks considerably, with the
SQL interface, there may be indeed new risks included. Although I hope and
believe that the stock Merchant is written cleanly, inexperienced coders may
indeed introduce new security flaws.

Ivo Truxa

| http://miva.truxoft.com
| Advanced Miva Merchant modules



-----Original Message-----
From: William Weiland


David Hubbard wrote:
> Removing whitespace from the end of a string is not sanitizing
> your inputs. That's not going to catch someone nesting
> a "select (*) from s01_Orders" into a variable they've discovered
> in Merchant that has been left unprotected.

Let's say we have a text attribute on a product. Are you saying that
the customer could enter some variation of select (*) from s01_Orders
into the text input and add the product to the basket and it would run
that query?