05 June, 2013

Recently I was asked to compile a list of all CiviCRM releases since 3.1.0, identifying which were security releases so that we could make sure clients' sites were secure. The organization I work for (Freeform Solutions) is focused on doing sites for other non-profit organizations, many of whom are still running older versions of CiviCRM due to budgetary or other constraints, so we wanted to be sure that no one was running a version known to contain security vulnerabilities. Since this seemed like the sort of resource that might be useful to other CiviCRM users, I'm sharing it here.

Of course, the simplest approach is probably just making sure any given client is running the latest release of their particular CiviCRM version (4.3.x, 4.2.x, etc.). But this isn't always reliable (as pointed out by Herb in a comment below), because security fixes are not always applied to older versions (currently, versions prior to 4.2 are not being updated...

Read more
17 April, 2013
By totten

IMPORTANT: You do NOT need to upgrade CiviCRM to remove this vulnerability. See "Prevent Attacks: Delete the Vulnerable File" below.

In recent days, multiple site admininistrators have reported evidence that their sites were attacked using vulnerabilities in the OpenFlashChart library included with prior versions of CiviCRM.  This vulnerability was eliminated in the CiviCRM v4.2.6 release (Dec 2012), and site administrators were strongly advised to apply the upgrade. However, as older versions of CiviCRM are still vulnerable, site administrators running outdated versions of CiviCRM should take steps immediately to prevent new attacks and identify past attacks. This blog post provides some background and suggestions.

You can check what version of CiviCRM you are using by looking on any CiviCRM page.  The version is displayed at the bottom of the screen (see screenshot...

Read more
20 November, 2012

Just created a quick ERD for CiviCase, and shared it on this page http://wiki.civicrm.org/confluence/display/CRMDOC42/CiviCRM+ERD+3.3.

It is version 3.3, so not the latest and greatest. But I am sure I will have to check the same ERD for version 4 at a near point in the future and update the ERD too. And I do not think there are major differences in the data model......

I have also attached the ERD to this blog post.

12 September, 2012
By pkeogan

Vanco Payment processor

 

BackOffice Thinking is pleased to release the Vanco payment processor to the CiviCRM community.  Today we are releasing versions for 3.4x and 4.1x and hope to have a 4.2x version shortly.

 

This processor allows single payment and recurring for credit cards and ACH (electronic check)

 

The Vanco payment processor is quite popular among religious organizations and we have been utilizing this processor for past 2 years with many of our clients.  Thanks for all the support from the Vanco team along way.

 

The files, including detailed instructions, can be downloaded here.

Vanco 3.3 and 3.4

Vanco 4.1

 

The installation is more involved than other...

Read more
04 April, 2011
By hershel
Filed under v3.3, CiviCRM, Drupal, Joomla
There are three ways one can customize the look of CiviCRM pages:
  1. Customizing CiviCRM templates
  2. Custom CSS in a Joomla! template or Drupal theme
  3. Custom jQuery code
In this post we will review them and provide a few examples of the most complicated method, jQuery manipulation. Customizing CiviCRM templates This method is described in depth on our wiki under Theming CiviCRM and the subpages therein. The advantage of this method is that it is fairly easy to make simple changes. The disadvantage is that upgrades may significantly change the core templates and thus require one to redo the customizations “from scratch." Custom CSS in a Joomla! template or Drupal theme If your site uses a custom template or theme, then using normal CSS rules, one can fairly simply override the core CiviCRM CSS rules and replace them with your... Read more
30 March, 2011
By xcf33

Many modern web applications have a lot of spam deterrent such as Captcha, Bayesian filters, URL, ip detections etc. One example is trying to do 2 consecutive search on the CiviCRM.org forum and you will get a an error that look like

 

"Your last search was less than 5 seconds ago. Please try again later."

 

The concept behind this is flood control is to prevent a webbot (automated script) that is trying to spam and flood the server. 

 

Sometimes this technique is useful in place of something such as a Captcha system because when someone performs a search on the forum, it would be annoying to have to play the "guess game" with a captcha everytime. Therefore discourages the usage of the searching functionality. 

 

We are applying the same concept to CiviContribute contribution page in attempt to stop spammers from using the contribution form as a gateway to test fake or stolen credit cards. See the code in the...

Read more
28 March, 2011
By shot
Filed under v3.3, CiviCRM

The team is excited to announce the release of CiviCRM 3.3.6 - it is now available for download. You can also try it out on our demo site. This is a bugfix release resolving a few issues.

 

What's new?

Here is a overview of the feature list for this stable release :

  • CiviMail workflow functionality (Rules Integration). Read more here.
  • Back-office staff can now enter recurring contributions for constituents. Constituents can signup for automatically renewing memberships via online contribution pages. Back-office staff can also create auto-renew memberships. (Both features require use of Authorize.net, PayPal Pro or...
Read more
08 February, 2011

The team is excited to announce the release of CiviCRM 3.3.5 - it is now available for download. You can also try it out on our demo site. Apart from fixing a few bug issues, this release contains two critical security updates:

  • Cross site scripting problem, where the site can be exploited to execute arbitrary JavaScript.
  • Permissioning vulnerability, which allowed anonymous users to potentially change information for another contact.

 

Please consider doing an upgrade as soon as possible to avoid potential security risks. If you have already upgraded using the 3.3.4 release package - and you did not experience any errors during the upgrade - then you...

Read more
08 February, 2011
By michal
Filed under v3.3

The 3.3.4 release has been pulled due to potential problems during upgrade. We will be posting a 3.3.5 release with the security fixes shortly. If you've downloaded 3.3.4 and haven't done the upgrade yet, you can trash that file and wait for 3.3.5 later today. If you've upgraded to 3.3.4 and did NOT get an error - then your upgrade is fine.

Read more
19 January, 2011
Filed under v3.3, CiviCRM

The team is excited to announce the release of CiviCRM 3.3.3 - it is now available for download. You can also try it out on our demo site. It is mainly a bug fix release (around 40+ issues)- for full list of things that has been fixed/improved in 3.3.3, please take a look at our issue tracker.

What's new?

Here is a overview of the feature list for this stable release :

  • CiviMail workflow functionality (Rules Integration). Read more here.
  • Back-office staff can now enter recurring contributions for constituents. Constituents can signup for automatically renewing memberships via online contribution pages. Back-office staff can also create auto-...
Read more