MIVA® HOSTING: CHAMBER OF HORROR
by Ivo Truxa, 09/13/2002 (yes, it was Friday)
- Disclaimer
- 1-Host.com
- Aplus.net
- Apollo Hosting
- CrystalTech
- Dellhost
- Hostcentric
- Hosting4Less
- Interland
- Jumpline
- OLM
- SerraHost
- Server4You
- Tierranet
- Valueweb
- ViaNetworks
- XO
- Yahoo!
- Contributors
- Useful links
- User Comments
This page is compiled from information obtained from developers, store builders, system administrators and advanced users who often have to fight against unbelievable incompabilities, misconfigurations, bugs, security holes, and other oddities that are unfortunately almost omnipresent. The creativity of system administrators at many hosts is amazing and never stops to surprise me. Please note that I am not telling neither incompetence, nor stupidity, although I would really like.
For the moment there is only a small collection of such problems. Unfortunately I made no records earlier, but do not be afraid, this section will certainly grow. Feel free to send me your story too.
top
Disclaimer
Well, I wanted to write a legal disclaimer here to protect me from eventual attacks from the side of the hosts. Right now, I actually do not feel like a lawyer, so will let it for another time. You all know what it ought to be. All published information are subjective opinions of individuals, based on experience with concrete cases and do not necessarily express the real status quo. Etc, etc, blah, blah,...
top
1-Host.com
| Unix | Fatal security hole - Miva data is inside public web space and fully accessible to anyone. | 01/23/2004 | ad |
1-host in Adam Denning's Miva List archives
top
Aplus.net
| all | Serious security hole for previous installations. This hole makes all store data vulnerable to being accessed by anyone. Aplus.net has advised they no longer do this as of mid-2002, but has made no efforts to contact all previously installed stores to fix it. They say if a customer contacts them they will fix it, but since most customers don't know about it they don't do many fixes. They do not fix it unless it's requested. | 10/10/2002 | ph |
| | It appears that Aplus.net prohibits outgoing connections from their servers. Most 3rd party Miva Merchant modules require an outgoing connection to handle licensing. | 10/15/2003 | de |
Aplus.net in Adam Denning's Miva List archives
top
Apollo Hosting
| all | Standard and secure files must be present duplicated in two separate directories. It means most modules uploading, copying, modifying or otherwise handling files in the web directory may fail, because the file will be missing in one of the directories and need to be copied manually (standard mode cannot access files in secure mode and vice versa). | 04/07/2005 | tx |
Apollo Hostingt in Adam Denning's Miva List archives
top
CrystalTech
| Win | Two different FTP accounts for Miva Data and Miva Script (web) directories, using different user ID's. Different ownerships of the data and scripts do not allow moving data files to the script dir. Diag.mv fails with error "unable to copy to script dir", but CrystalTech claims that it is the correct and only possible setup and that the files have to be moved in FTP! | 07/11/2003 | tx |
| ? | Miva Script files can be downloaded by any visitor accessing them directly instead of the insecure long cgi-bin URLs. It includes all native Miva Merchant files as well as any 3rd party modules | 10/08/2003 | sp |
CrystalTech in Adam Denning's Miva List archives
top
Dellhost
| Win | Entire Miva Script directory is located in cgi-bin instead of web root. It took me a good moment to realize it and to find the well hidden files. | 09/11/2002 | tx |
| Win | FTP extremely slow; it times out at big directories (~500 files). I spent all day on uploading 10MB of files. | 09/11/2002 | tx |
| ? | Dellhost has FTP chokes on their sites. So, if you have DSL, with a static IP, you have about 100 MB of transfer, after that, you're screwed unless you go to dial-up. | 06/21/2002 | bg |
| all | Constantly tells customers they are not allowed to install modules because they will conflict with the server. Support there thinks modules are server software and dll files. Customers can install most third-party modules just fine. | 09/25/2002 | ph |
Dellhost in Adam Denning's Miva List archives
top
Hostcentric
| ? |
Some of their sites contain multiple duplicate Merchant2/ directories, and they are not mirrors.
Cannot get working scripts and modules by ftp'ing file and adding manually. Module will install when ftp'd to the proper directory, and is configurable, but an obvious ghost directory resides somewhere. After manually adding module, and configuring, file is not accessible by accessing merchant.mv - an error will return that it does not exist, thus rendering the store useless.
Additionally, switching Look & Feels from OpenUI to MMUI times out, and only option is to resort to backup.
Pamela Hazelton
| 10/07/2003 | ph |
Hostcentric in Adam Denning's Miva List archives
top
Hosting4Less
| Unix | Security hole - Miva data is inside public web space. | 04/30/2005 | tx |
Hosting4less in Adam Denning's Miva List archives
top
Interland
| Win | No fscopy(), fsrename(), no module upload in Miva Merchant possible. Miva Data directory owned by other uid than the Miva Script dir. | early 2002 | tx |
| Win | mivadata directory completly hidden - even from the owner!
I was working on the site, and could not locate the mivadata dir. I had to get tech support to find the export I had created and email it to me! It took a few hours (fortunatly no longer) for them to respond - and they still did not tell me if I could get access, only "here's your file". | 09/25/2002 | gill |
| dedicated server | two document directories
Merchant is getting "no such file or directory" for modules which are clearly uploaded via admin and present on the server. On the server, there are 2 folders: httpdocs and httpsdocs. Apparently, when I uploaded the modules in the non-secure mode, they never made it to the secure folder for which it has to be read from.
Note: hopefully this is not a standard setup on Interland dedicated servers | 05/03/2003 | ww |
Interland in Adam Denning's Miva List archives
top
Jumpline
| - | More than a year after the release of Miva Empresa v4.02, Jumpline.com still uses this outdated, unstable, extremely buggy and insecure engine version, and for unknwown reasons refuses to upgrade. Many Miva Script products and Miva Merchant modules won't work under ME v4.02. | 10/15/2003 | sf |
Jumpline in Adam Denning's Miva List archives
top
OLM
| - |
I had a host of troubles (no pun intended ;) with OLM. The worst part was that the email server they put my account with was listed in the SPEWS database, so some percentage of my emails to people were being blocked by anti-spam software and never reached the intended recipient.
See http://www.epinions.com/content_60831075972 for complete details!
|
04/08/2002 | sp |
OLM in Adam Denning's Miva List archives
top
SerraHost
| ? | Throughput for incoming data transfer averages to ~3kBps, and reaches maximally 4kbps. For comparison, that is about the half the speed of a slow dialup modem. Commonly the downloading throughput reaches 200-900 kBps, at decent hosts. | 09/04/2003 | tx |
SerraHost Adam Denning's Miva List archives
top
Server4You
| ? | There are two independent instances of web directories, it means also two Merchant script directories (in addition to the Merchant data dir, of course). Modules installed in secure mode will not be present in standard mode and vice versa. Run-time file operations will often fail because of this incomprehensible misconfiguration. The host claims "it is very difficult to do it" (sic). | 10/07/2003 | tx |
Server4You Adam Denning's Miva List archives
top
Tierranet
| Unix | No fdelete() possible in Secure mode! | 09/12/2002 | tx |
| Unix | only 45s globaltimeout in secure mode! Easily causing failed payments and corrupted data. | 09/12/2002 | tx |
Tierranet Adam Denning's Miva List archives
top
Valueweb
| all | Permanent problems with mailserver. Overloaded, unreliable, slow, loosing email, not sending notifications without error message. | 2001 - 2002 | tx |
| Unix | Serious security hole - Miva Data directory in public web space! All data downloadable by default. (some servers only) | early 2002 | tx |
| Unix | In the past domains have mysteriously dropped out of the auth file. When such things happen, tech support has to escalate problem to another team, which may or not be working at that time, and may not get to it till the next day. The result is a store down for many hours. | 09/25/2002 | ph |
| all | Also, has been known to just reset stores when there are problems, overwriting any databases or customizations. | 09/25/2002 | ph |
| all | Valueweb allows 100 outgoing emails / hour! Their assumption is that anyone sending more is spamming and will be disabled. To this point, I've only known of one person who actually got banned at the point of sending 4300 of 7000 emails. I havn't been able to get a comment after one hour on the phone. Their attitude seems to be 4300.. they MUST be spammers. | 10/22/2002 | kh |
Valueweb in Adam Denning's Miva List archives
top
ViaNetworks
| ? | Fatal security hole - Miva Data directory in public web space! All data publicly accessible downloadable by default. The host does not understand the basic rules of security an is incapable of following Miva Empresa installation instructions. They were not able or willing to fix the incredible security hole even after being notified about it by Jason Henderson. | March 2003 | jh |
ViaNetworks in Adam Denning's Miva List archives
top
XO
| Unix | Very weird file system not allowing users to access their data | early 2002 | tx |
| Unix | Using a custom web server (ConcentricHost-Ashurbanipal/1.7) not compatible to Apache. Most setting in .htaccess do not work at XO, although some are accpted. | early 2002 | tx |
| Unix | XO limits access to some sections of Miva Merchant Admin - i.e. Domain Settings, Modules, etc. | 09/28/2002 | dh
jw |
| Unix | Requires customer to call in to request ftp access with proper permissions. By default, this host does not give ftp access, but instead expects customers to manipulate all files via an web tool, which is clunky at best. | 2002 | ph |
| ? | XO allowing you to view the source of any .mv file | 2002 | ad |
| Unix | Sources of all miva scripts are displayed in plain text when accessed directly. Only cgi-bin calls parse them! | 10/14/2002 | tx |
| Unix | TxDIAG does not run on XO servers - triggers 500 Internal Server Error. | 10/14/2002 | tx |
XO Host in Adam Denning's Miva List archives
top
Yahoo!
| Unix | Yahoo! uses one of the most sophisticated Miva setups I ever saw, with complicated load balancing through server clustering. Most probably its purpose is to run the highest possible number of domains per server. In spite of the sophisticated system, Yahoo's server traditionally rank at the bottom of performance tests such as Mr. Moon's Miva Test. The side effect of this complicated system is that it often breaks down, there are a lot of compatibility issues and many features work differently than a Miva developer is used to. | 2002 | tx |
Yahoo! in Adam Denning's Miva List archives
top
Contributors
top
Some Useful Links
MIVO! Miva Security
Miva Empresa Documentation
Miva Script User List Archive
Miva User Groups
top
|