VirtueMart Forum

VirtueMart 2 + 3 => Virtuemart Development and bug reports => Development & Testing => Topic started by: kailash745 on September 21, 2017, 15:42:28 pm

Title: bug in media upload from admin end
Post by: kailash745 on September 21, 2017, 15:42:28 pm
Regarding the stored XSS (cross-site scripting) vulnerability found in  "Virtuemart " because of improper validation of user input. Kindly fix this issue asap and do review the code of other fields too in the application. 

Vulnerability Risks : Hijacking another user's browser ; Pseudo defacement of the application ; Directed delivery of browser-based exploits  and many more.

NOTE : Please fix both the reported issues asap (XSS and unrestricted file upload). As, in the past because of these vulnerabilities were completely defaced by the attackers.


step1: goto virtuemart product/category in back end
step2: click on upload image section
step3: upload any file even script file also uploaded (.php)
Title: Re: bug in media upload from admin end
Post by: franzpeter on September 21, 2017, 17:10:02 pm
Do you mean that for serious? How do you want to sell downloadable products like extensions or other things from a shop? Those files need to get stored somehow. It is your decision, what you upload in Backend via Media manager. You are the shop owner.
Title: Re: bug in media upload from admin end
Post by: AH on September 21, 2017, 17:17:49 pm
How did the "attackers" get access to your admin area?

This seems nonsense to "blame" vm

Surely they could have just done FTP also.
Title: Re: bug in media upload from admin end
Post by: Milbo on September 21, 2017, 17:35:32 pm
kailash745 it is a matter of permission.

We have two permissions for this matter. In English they are called

"Allow all kind of files, instead of only images and safe types"
"Media potential trusted"

The first is the vm filter, which just checks for filetypes. This is necessary, when you want to sell zips containing php. The second is the joomla filter. Both rights should be set to allowed for Superadministrators. But of course they should be set to "not allowed" for non admins.

So I dont see a security issue here. When a shop allows users to upload media in vm, it is a multivendorshop and the rights should be set correctly, of course. When the shop allows to upload media for a product, then these are 3rd party products. They may use our upload, when they do it, as long the rights are set correctly, anything should be safe.

When you install a fresh store, the rigts are set correctly, so I dont see a problem here.