VirtueMart Forum

VirtueMart General => About VirtueMart => Topic started by: Mark Smeed on January 28, 2010, 12:43:40 pm

Title: SQL injection Vulnerability in all 1.0 versions of VirtueMart!!!
Post by: Mark Smeed on January 28, 2010, 12:43:40 pm
Hi Guys,

I’ve just become aware of a SQL injection Vulnerability in all 1.0 versions of VirtueMart.

The summary of the Vulnerability can be found @ http://docs.joomla.org/Vulnerable_Extensions_List

It would seam that the JED became aware of this on the 7th December 09 and therefore was wondering if this has been addressed?

If not when do you think a fix will be available?

Thanks,

:)
Title: Re: SQL injection Vulnerability in all 1.0 versions of VirtueMart!!!
Post by: martin77 on January 28, 2010, 12:57:53 pm
Above the list is said, that only the ones in a red box aren't adressed yet, the virtuemart vulnerability isn't in a red box, so I assume it's fixed.
Title: Re: SQL injection Vulnerability in all 1.0 versions of VirtueMart!!!
Post by: Mark Smeed on January 28, 2010, 13:50:42 pm
Hi Martin,

Thank you for your post!

If you visit the extensions on the JED you will find that the extension has been unpublished by Joomla! for the following reason: http://extensions.joomla.org/extensions/129/details

Quote
This extension has been unpublished for the following reason: Vulnerable Extensions List - http://docs.joomla.org/http://www.exploit-db.com/exploits/10407_Extensions_List

This is a bit disconcerting, maybe my fear is unjustified however; it would be very helpful to hear from one of the VR developers on this matter if only to set our fears at rest?

To learn more able the SQL Injection vulnerabilities: http://www.exploit-db.com/exploits/10407 & http://www.exploit-db.com/exploits/11271 & http://www.exploit-db.com/exploits/10407

Thanks,

 :)
Title: Re: SQL injection Vulnerability in all 1.0 versions of VirtueMart!!!
Post by: tomkerswill on January 28, 2010, 16:53:28 pm
Hi --- this has also been mentioned on the SANS newsletter today, and on:

http://www.securityfocus.com/bid/37963

It doesn't look like there's a fix available at the moment at all... at least not one that is mentioned on Security Focus. Would love to know more details about how this can be patched!

Tom
Title: Re: SQL injection Vulnerability in all 1.0 versions of VirtueMart!!!
Post by: Milbo on January 28, 2010, 19:32:43 pm
First:

The vulnerability does not hit the normal virtuemart because it is only accessible via backend. So long there is no multivendor, so long this is not a vulnerability.
This is a minor problem and next thing this is fixed by Thomas for vm1.1.4b, just download the nightly build from 28.1.10.

Cyas da Milbo
Title: Re: SQL injection Vulnerability in all 1.0 versions of VirtueMart!!!
Post by: Mark Smeed on January 29, 2010, 10:35:52 am
Hi Milbo,

Thank you for your reply and for addressing the first reported vulnerability however, there seam to be another vulnerability which can be exploited via the front-end!

The vulnerability seam to be present on the product details pages, which permits the hackers to compromise the system via SQL injection vulnerability.

Please see: http://www.exploit-db.com/exploits/10407 for explanation of the same.

Has this been addressed on the nightly build?

Thanks,

 :)
Title: Re: SQL injection Vulnerability in all 1.0 versions of VirtueMart!!!
Post by: bass28 on January 29, 2010, 16:22:30 pm
We feel we have the backend vulnerability for 1.1.4 corrected.  We are investigating the others reported in 1.0 and hope to have patches shortly.
Title: Re: SQL injection Vulnerability in all 1.0 versions of VirtueMart!!!
Post by: Milbo on January 29, 2010, 16:41:27 pm
Please look here

This line fixes the frontend security leak with the product_id
change line 23 in /html/order.order_status_form.php to
$order_status_id =vmrequest::getInt('order_status_id', 0);

Written by zorkhh: The problem was, that the order_status_id parameter was not checked correctly and accepted strings where only integers should be allowed. This way the injection could happen. Now it makes sure that the variable can contain only integers.

This should help, the changes are already in the svn, we will release a patch soon.
Title: Re: SQL injection Vulnerability in all 1.0 versions of VirtueMart!!!
Post by: David-Andrew on January 29, 2010, 16:46:00 pm
Doing great work guys, keep it up!

Title: Re: SQL injection Vulnerability in all 1.0 versions of VirtueMart!!!
Post by: zorkhh on January 29, 2010, 16:54:38 pm
Hi,

you should check vm-expert.com more often  ::)

We have published this solution here after we have updated the SVN: http://www.vm-expert.com/virtuemart-expert-blog/82-security-fix-for-vm-114 (http://www.vm-expert.com/virtuemart-expert-blog/82-security-fix-for-vm-114)

Cheers,

Thomas
Title: Re: SQL injection Vulnerability in all 1.0 versions of VirtueMart!!!
Post by: bsavic on January 29, 2010, 20:45:12 pm
Hi Everyone,

I could not recreate this issue on a site with VirtueMart 1.0.15., server have magic quotes enabled.

Is this because magic quotes? What do you think?

Thanks

Title: Re: SQL injection Vulnerability in all 1.0 versions of VirtueMart!!!
Post by: zorkhh on January 29, 2010, 20:51:27 pm
Be careful with the versions! The last post where VM 1.1.4 related...

Thomas
Title: Re: SQL injection Vulnerability in all 1.0 versions of VirtueMart!!!
Post by: bass28 on January 30, 2010, 03:29:50 am
I added files to SVN for both 1.0.15 and 1.1.4 which should eliminate the SQL injections that have been reported.  If anyone comes across anymore let us know.

I will post patched files on the site for download soon.
Title: Re: SQL injection Vulnerability in all 1.0 versions of VirtueMart!!!
Post by: bass28 on January 30, 2010, 16:05:37 pm
Here are the patch files for 1.0.15 and 1.1.4.  Just extract them into your Joomla root folder.  The first part of the filename indicates the version. ;)

[attachment cleanup by admin]
Title: Re: SQL injection Vulnerability in all 1.0 versions of VirtueMart!!!
Post by: tomkerswill on February 02, 2010, 17:28:42 pm
Ah great - thanks so much for the quick action and fix. Am finding virtuemart to be really excellent!
Tom
Title: Re: SQL injection Vulnerability in all 1.0 versions of VirtueMart!!!
Post by: Soeren on February 03, 2010, 10:53:54 am
Thanks again for the quick fixes.
I have published a news article here: http://virtuemart.net/news/list-all-news/366
The security bulletin can be found here: http://virtuemart.net/security-bulletins/365-vm-security-bulletin-2010-01-30

ciao, Sören
Title: Re: SQL injection Vulnerability in all 1.0 versions of VirtueMart!!!
Post by: virtoom on February 07, 2010, 13:40:16 pm
Thanks a lot! If I download a fresh copy of VirtueMart, I don't need the patch I suppose?

Thanks in advance,

V.
Title: The fix for nothing?
Post by: Simon A. on February 11, 2010, 17:34:14 pm
The shop.product_details exploit mentioned above on exploit-db.com does not affect my site running VM 1.0.14.

Regarding the shop.product_details  exploit, I posted this earlier to the News section of the VM website when the forum was down:

Shemzone already pointed out the additional code in shop.product_details.php added to try to fix this bug:

Code: [Select]
 
  // Check for non-numeric product id
    if (!empty($product_id)) {
     if (!is_numeric($product_id)) {
      $product_id = '';
     }
    }



BUT $product_id is already forced to be an integer just a couple lines earlier:

Code: [Select]

    $product_id = intval( mosgetparam($_REQUEST, "product_id", null) );


It doesn't look like the new code prevents any SQL injection via $product_id because no SQL injection was possible before.

Can anyone here confirm that the exploit is for real?

 How does the newly added code fix the problem if it is for real?
Title: Re: SQL injection Vulnerability in all 1.0 versions of VirtueMart!!!
Post by: nedge2k on February 12, 2010, 16:34:10 pm
Hi Milbo,

Thank you for your reply and for addressing the first reported vulnerability however, there seam to be another vulnerability which can be exploited via the front-end!

The vulnerability seam to be present on the product details pages, which permits the hackers to compromise the system via SQL injection vulnerability.

Please see: http://www.exploit-db.com/exploits/10407 for explanation of the same.

Has this been addressed on the nightly build?

Thanks,

 :)


Are any of the admins going to address this? Or is it in the patch already?

FWIW, I just had a look at my html/shop.product_details (VM 1.1.14) and amended the following as per the backend fix:
Code: [Select]
Line 35
//$product_id = intval( vmGet($_REQUEST, "product_id", null) );
$product_id = vmrequest::getInt('product_id', 0);
//$category_id = vmGet($_REQUEST, "category_id", null);
$product_id = vmrequest::getInt('category_id', 0);
//$manufacturer_id = vmGet($_REQUEST, "manufacturer_id", null);
$manufacturer_id = vmrequest::getInt('manufacturer_id', 0);

(original code //commented out)

I know it's supposed to be a 1.0 glitch but it looks like the category and manufacturer id's could be vulnerable in 1.1?
Title: Re: SQL injection Vulnerability in all 1.0 versions of VirtueMart!!!
Post by: xnsjay on March 05, 2010, 10:17:11 am
very good..
Title: Re: SQL injection Vulnerability in all 1.0 versions of VirtueMart!!!
Post by: korij on April 11, 2010, 07:10:13 am
I just downloaded virtuemart april 1, have the patches for 1.1.4 already been intergrated or should I still apply them?
Title: Re: SQL injection Vulnerability in all 1.0 versions of VirtueMart!!!
Post by: felixp on April 29, 2010, 21:16:30 pm
We're running version 1.1.3. Does this apply to us as well? And if it does, is there a place to see the changes/updates so we could apply them manually. Thank you!
Title: Re: SQL injection Vulnerability in all 1.0 versions of VirtueMart!!!
Post by: scanreg on June 04, 2010, 15:14:30 pm
I just downloaded virtuemart april 1, have the patches for 1.1.4 already been intergrated or should I still apply them?

Same concern here
Title: Re: SQL injection Vulnerability in all 1.0 versions of VirtueMart!!!
Post by: sled10 on July 13, 2010, 18:51:25 pm
I extracted the vm114 file and your instructions say to place it in my Joomla root folder, but I already have a folder called administrator. Do you want me to overwrite the whole administrator folder or just upload the two individual files that are inside the html folder ? thanks for the clarification.