vm < 2.6.10 insecure? [solved]

jenkinhill · September 13, 2014, 14:23:22 PM

How about removing registration?

AH · September 13, 2014, 16:18:24 PM

Yes Jenkin we have considered that. And thanks for the reply

Prefer a fix though as it is not really just about me but all the many users that have still to migrate.

Milbo · September 16, 2014, 12:17:31 PM

You just need to remove the usertype, instead of isRoot. But yepp, the problem is also there.

AH · September 16, 2014, 21:55:33 PM

VM1.1.9

Confirmed no issue

Thanks Milbo and the devs!!!!!!!!!!

Milbo · September 17, 2014, 15:12:16 PM

yeh but you could see, that it got also fixed there, because only one file works correct, the other is only for the Backend and therefore dont needed the fix.

AH · September 17, 2014, 16:18:38 PM

Yep - so nothing to change - but you guys did the work to confirm that the front end did not have a security hole.

I a sure you will be inundated with thanks from the VM1.1.9 users that are yet to migrate.

PS if anyone reading this is still on VM1 you should seriously have a plan for migration by now!!

efocus · September 22, 2014, 23:43:27 PM

Quote from: Hutson on September 16, 2014, 21:55:33 PM
VM1.1.9

Confirmed no issue

Thanks Milbo and the devs!!!!!!!!!!

I am confused. I don't see any evidence in this thread about VM1.1.9 not being affected by this security vulnerability. Can someone please confirm if that's what Hutson means?

GJC Web Design · September 23, 2014, 02:11:30 AM

Although vm1.1 also uses a bind the "sensitive" vars are set after this so any "evil" post can't get any further (is reset) .
So vm1.1 front end registration is safe - you can check in the ps_shopper.php

AH · September 23, 2014, 09:33:20 AM

As JJK said

The fields that could create an issue if they were "fiddled" with in POST

Are actually set programmatically AFTER the POST bind process

Effectively wiping out any "fiddled" with sensitive fields

News:

vm < 2.6.10 insecure? [solved]