vm < 2.6.10 insecure? [solved]

[slammy]

Hi Community,

did see in a signature from a forum moderator the hint < 2.6.10 is insecure. I just take a look at virtuemart.net and found no Information on that Detail or at latest news. Searching the forum for "2.6.10" + "insecure" does not find any other information than this signature: http://forum.virtuemart.net/index.php?topic=118683.msg402445#msg402445

I believe that in the past virtuemart.net was sending emails about new Versions/sr´s for registered users. Maybe this is related to the mail problem and do you strongly recommend to switch to 2.6.10 from 2.6.8b for example?
regards jens 

[dimi2013]

Yeah, I got nothing too. No emails, nothing. I used to get them in the past.

[jenkinhill]

This has not been announced yet, the problem in VM was identified & fixed by our lead developer. It is possible that other Joomla components may have the same issue with Joomla code and could potentially be at risk if the "exploit" became known.

[jenkinhill]

There is now more information here.  http://blog.sucuri.net/2014/09/security-advisory-virtuemart-for-joomla.html

[AH]

And some not so great press here

http://www.pcworld.com/article/2606312/vulnerability-in-popular-joomla-ecommerce-extension-puts-online-shops-at-risk.html

It might be that a patch is required for older shops if possible rather than a full upgrade which could take many people some time to implement especially if they need to test ALL the possible changes

And there are other sites that actually spell out the vulnerability and what a malicious attacker could do to exploit it!

It is great to have an update out there so quickly - but some users will not be able to upgrade quickly - so what can they do to stop the script kiddies killing their business??

It should be possible to implement a patch in older VM2 versions 2.6.8c and lower - it looks like a very small change to one file from what I can make out??

[jenkinhill]

I see a problem in that a patch would reveal where the problem is, and it is an issue with some other components as well, so they would not want the possible exploit known. It's not rocket science to see that there are 68 core files changed between 2.6.8 and 2.6.10 and a similar number of changes in aio packaged files (although many of these will be changes in version numbering). I don't know if there would have to be different patches for the many different versions of VirtueMart.

The only people who will have issues updating from recent versions will be those who have hacked the core - which of course we do not recommend.

I guess it would be better if the actual Joomla code that can lead to this vulnerability were fixed. Securi are looking into this, and J! devs do know about it. https://twitter.com/virtuemart/status/509768667962552320

[AH]

Jenkin

I agree this is a problem

The security issue I believe is in one file only, but yes, how to get it out there without alerting so many - however what is the business risk to VM when shops start getting hacked.

The bad press alone is not great.

I agree that J devs should sort it out, but users are vulnerable now and we should think about how we mitigate the potential negative impacts.

Regarding people having issues with an upgrade - Please be serious - hacking the core is not the only thing to consider

All stores would need to test the upgrade and any impacts it might have to their live site and any templating overrides. This could take weeks for some users.

If my cursory research is correct, a small patch could be implemented and tested within hours for most sites.

Of course an full VM update is great if possible - its just that when it might not be, VM's reputation could take a spanking

[jenkinhill]

The simple fix for those who have to use it is included in the news release:   http://virtuemart.net/news/latest-news/462-security-release-of-vm2-6-10-and-vm2-9-9b

[AH]

Simples 

[slammy]

ok, finally a latest News on this and how to patch if you cannot update your vm. take a look here: http://www.virtuemart.net/news/latest-news/462-security-release-of-vm2-6-10-and-vm2-9-9b 
regards jens

[Jose M.]

Hi,
Until we can update all VM can directly copy the file user.php version 2.6.10 to version 2.0.16 overwriting?
or include only the lines indicated?

Thanks
Jose

[jjk]

@Jose M.
Adding the lines is meant as a 'first aid' solution if you can't/don't want update to 2.6.10 or can't use the file copy due to personal customizations. If you have ftp access, I would recommend to just rename the old user.php file to user.php.bak and then upload the new user.php.  Very easy to do and takes only one minute. If somthing goes wrong (very unlikely), you can always simply rename the old file again.
(I just added the new user.php to my VM 2.0.26 live site - no problem, everything is still working)

[AH]

Anyone got a solution for the completely out of date (but still in use) VM 1.1.9

#old school

And save your breath with any "upgrade to VM2" comments please!

[jjk]

@Hutson

And save your breath with any "upgrade to VM2" comments please!

And how about asking the Joomla guys?  If I'm not mistaken, the relevant piece of code has it's origin in Joomla 1.x. and is still being used in J1.5.x  But certain Joomla guys reject that Joomla is affected. And if they would admit it, you know the anwer: "Update".
I know this comment doesn't help

[AH]

JJK

Thank you for the response.

From what I can gather, the joomla guys don't appear to give a fig even with Joomla 2.5

Upgrade, oooohh one day soon we will. 

I think that the script kiddies will be spending their time working on exploiting Joomla 2.5 new sites as it will be like shooting fish in a barrel.

Especially if Joomla devs fail to own up to a massive faux pas and fix it immediately - Just imagine how many components are open to this exploit ( very bad Joomla!)

I believe that the exploit still requires the user to sign in as admin after they have raised their permissions and there are a few plugins that help reduce the possibility of admin access for VM1

I am hoping someone will see the way to posting something here that would help the old schooler's using VM 1