Earlier this week, we, with the assistance of ScanAlert discovered a potential security exploit in MIVA Merchant v4.14-4.24 stores running OpenUI.

With the help of The OpenUI Consortium and MIVA Corp, the issue was quickly identified and fixed.

This morning, The OpenUI Consortium released OpenUI v4.958.

A potentially serious bug has been fixed that could, under specific circumstances, be exploited and allow the execution of potentially dangerous scripts.

It is imperative that any store owners running MIVA Merchant v4.14-4.24 with OpenUI installed - update your installed version of OpenUI to protect your store from this issue.

Thank you to Darren Ehlers (of OpenUI Consortium) for his quick response in resolving this serious issue.

Thank you for this information. I noticed the update available when I logged in to my admin page in my Miva store. My only question is, when I use the update wizard to performa the update, will this affect any of my products or look and feel of the store? I have over 1400 products and don't want to have to reload or start from scratch after updating. Please advise.

Thank you,
Jeanne
www.cutabovescrappin.com/Merchant2/merchant.mvc

No, updating OpenUI will not make any changes to your products whatsoever.

The upgrade should simply replace OpenUI own files with newer versions, leaving everything in the store intact.

Having said that, it's always a good idea to make a backup of your store before performing any drastic changes, updates, installing/removing modules, and so on. While this is a simple, minor update that should work fine for most people, there's always the off-chance that your server may crash in the middle of the upgrade, may lose connectivity with the OpenUI upgrade mirror site, etc. In these cases the upgrade may indeed fail and leave your store in a messed upstate and the fastest way to fix it will be to recover from the backup you made (hopefully) just before the upgrade, and then trying the upgrade process again.

Since I can't edit my original post in this forum, I thought I'd add one more comment here...

In cases where the upgrade fails and you can still log in to your store admin to perform the usual functions, you can also try the OpenUI roll-back feature to restore the last working version of OpenUI. This may save you in case something goes wrong or you need to roll back to the old version because of an incompatibility or conflicts with other modules. Using the roll-back feature will not change your products or other settings in the store - it will only revert the OpenUI version itself, so if you've made changes in your store and are rolling OpenUI back a version or two, you will not lose those changes.

OpenUI also comes with a utility under Store, Storename, Utilities, Export, OpenUI Settings Backup - which will backup all the OpenUI Look & Feel settings.

Doing the opposite under Import, Restore OpenUI Settings will restore these backed up settings.

You should not need to do this however, the update wizard typically runs without any problems....but as Remik said, you should periodically backup your site.

Many hosting companies also perform daily backups of your site at no charge - if they do not - you should consider hosting somewhere that does.


Thank you for this information. I noticed the update available when I logged in to my admin page in my Miva store. My only question is, when I use the update wizard to performa the update, will this affect any of my products or look and feel of the store? I have over 1400 products and don't want to have to reload or start from scratch after updating. Please advise.

Thank you,
Jeanne
www.cutabovescrappin.com/Merchant2/merchant.mvc

Thank you for your quick replies. One more question...do I need to close my store for maintenance during the upgrade or can it still be online/open to customers for shopping while performing the update?

Thanks,
Jeanne

While _technically_ you can do this upgrade in a live store, I'd recommend putting it in maintenance mode - especially if you are going to be making a backup of your store before running the upgrade. If the store is open, you risk having visitors make changes to various database files as the upgrade is running, or as you perform the backup - making it next to useless if you had to revert back to it. You also run a risk that if the upgrade process is making changes in the store, your visitors may see odd screens or error messages as they browse your store during the upgrade. This would only make your store look bad and give your visitors less than favorable experience. The OUI upgrade will take only couple minutes - put your store in maintenance mode, it's not exactly the end of the world if your visitors see a message to come back in 5 minutes. Even Amazon.com and eBay do this every now and then to perform updates or fix things in their online stores.

Just to give people peace of mind, because I remember the days when updates sometimes caused problems :) I did run the update yesterday and all is well with my store. Thanks to everyone for the quick fix !

Just ran the update...hangs at updating the update wizard. completes it ok, but doesn't move on to the next item: OpenUI™ Look & Feel.

Product Name Latest Installed Recommendation
---> OpenUI™ Update Wizard
4.984 4.979 Ready to Update...
OpenUI™ Look & Feel
4.958 4.952 Update
OpenStatistics™
4.958 ----- Details
OpenDesigner™
4.85 ----- Details

If it updated the update wizard, log out of the store, log back in and run the wizard again. It sounds like because the update wizard itself was updated first, it's getting confused about self-execution so to speak... ;-) If the update wizard is the current version, the OUI update should run more reliably.

Nope, still going round in circles on updating the wizard part.

Bruce,

I just got this from Darren:

If you are running the Wizard v4.979, I'll point out that this version is
from late 2004, making it about 2-1/2 years old. You will probably need to
perform a Manual Update of at least the Update Wizard (ouimw.mvc).

You can download the Manual Update package at:
http://www.openui.org/manual_install/OUI4C_MAN.zip

Here is a quick tutorial of the regular update process. I'm in an airport, so there might be some background noise. It's a simple process, but viewing this might make some people feel more comfortable. I didn't show a backup, which, of course, should be done first.

http://www.doubleplus.com/Tuts/openuicriticalupdate/openuicriticalupdate.html

If anyone needs help, let me know. I'll do a basic upgrade, including backup and quick site check, for $50. Or, I'll do one with the manual update files for $75. Just register at my help desk and complete a help ticket at www.doubleplus.com/help with Miva admin and FTP access info. I can bill you after.

Ok, so I am getting an error message when trying to complete the update. I get to about 28% and then get the following error:
Runtime error in /Merchant2/4.23/modules/wizard/ouimw.mvc @ [000000ec:00000244]: Line 1003: MvCALL: Read Timeout

Now what???

Thanks,
Jeanne

Looks like it finally went through after 5 tries. It kept stopping in the middle and giving me error messages but is now complete.

Thanks,
Jeanne

Sorry, I guess I spoke too soon, although it was fast and simple for me, no problems.

This usually happens with hosts the leave the timeout configuration at the default settings of 90 seconds.

On servers that are busy or overcrowded, this setting is often too low, which causes the timeout issue you were experiencing.

Looks like it finally went through after 5 tries. It kept stopping in the middle and giving me error messages but is now complete.

Thanks,
Jeanne

This is a good opportunity to mention, again, that having a good Miva Merchant host is extremely important to a successful MM site. Don't lose sales over 10 bucks a month. Search these forums for a million recommendations, or see the ones I recommend at www.doubleplus.com.

Sites using the "Login Lookup" module will still fail the scans. The hidden “Order” field is not being encoded with encodeentities() when they output the form.

The scan passes with the "login lookup" module disabled. So other module may need to be updated if you updated OpenUI and the scan still fails.

Thank you,
Gary Hodder
Support
--
CybrHost Corp. - http://www.cybrhost.com/ - info@cybrhost.com
+1-866-300-MIVA - Professional Miva & E-Commerce web hosting services.

Gary,
Is this a potential security risk or just an annoying false alarm from Scanalert?

its not a false alarm. The hidden “Order” field is not being encoded with encodeentities() when they output the form.

Thank you,
Gary Hodder
Support
--
CybrHost Corp. - http://www.cybrhost.com/ - info@cybrhost.com
+1-866-300-MIVA - Professional Miva & E-Commerce web hosting services.

First, have you checked for an update on the module? Second, have you been able to verify it to be a threat?

Hi Scott,
Yes, I have the latest update, I installed it maybe a week ago. Did that fix the issue?

Yes... it should have. Let me know if not though.