SQL injection Vulnerability in all 1.0 versions of VirtueMart!!!
Mark Smeed:
Hi Guys,
I’ve just become aware of a SQL injection Vulnerability in all 1.0 versions of VirtueMart.
The summary of the Vulnerability can be found @ http://docs.joomla.org/Vulnerable_Extensions_List
It would seam that the JED became aware of this on the 7th December 09 and therefore was wondering if this has been addressed?
If not when do you think a fix will be available?
Thanks,
:)
martin77:
Above the list is said, that only the ones in a red box aren't adressed yet, the virtuemart vulnerability isn't in a red box, so I assume it's fixed.
Mark Smeed:
Hi Martin,
Thank you for your post!
If you visit the extensions on the JED you will find that the extension has been unpublished by Joomla! for the following reason: http://extensions.joomla.org/extensions/129/details
Quote
This extension has been unpublished for the following reason: Vulnerable Extensions List - http://docs.joomla.org/http://www.exploit-db.com/exploits/10407_Extensions_List
This is a bit disconcerting, maybe my fear is unjustified however; it would be very helpful to hear from one of the VR developers on this matter if only to set our fears at rest?
To learn more able the SQL Injection vulnerabilities: http://www.exploit-db.com/exploits/10407 & http://www.exploit-db.com/exploits/11271 & http://www.exploit-db.com/exploits/10407
Thanks,
:)
tomkerswill:
Hi --- this has also been mentioned on the SANS newsletter today, and on:
http://www.securityfocus.com/bid/37963
It doesn't look like there's a fix available at the moment at all... at least not one that is mentioned on Security Focus. Would love to know more details about how this can be patched!
Tom
Milbo:
First:
The vulnerability does not hit the normal virtuemart because it is only accessible via backend. So long there is no multivendor, so long this is not a vulnerability.
This is a minor problem and next thing this is fixed by Thomas for vm1.1.4b, just download the nightly build from 28.1.10.
Cyas da Milbo
Navigation
[0] Message Index
[#] Next page