I have same error.
So i checked if this really add some security.
Direct acces to this file get downloaded. So the BUG, do not prevent any read of this file.
So please change the file
JOOMLAROOT/administrator/components/com_virtuemart/helpers/vmcrypt.php
private static function _createKeyFile($keyPath, $size = 32){
$usedKey = date("ymd");
$filename = $keyPath . DS . $usedKey . '.ini';
if (!JFile::exists ($filename)) {
$key = self::crypto_rand_secure($size);
vmdebug('create key file ',$size);
$date = JFactory::getDate();
$today = $date->toUnix();
$dat = date("Y-m-d H:i:s");
$content = ';<?php die(); */
[keys]
key = "'.$key.'"
unixtime = "'.$today.'"
date = "'.$dat.'"
b64 = "0"
size = "'.$size.'"
; */ ?>';
$result = JFile::write($filename, $content);
return array('key'=>$key,'unixtime'=>$today,'date'=>$dat,'b64'=>0,'size'=>$size);
} else {
return false;
}
}
TO
private static function _createKeyFile($keyPath, $size = 32){
$usedKey = date("ymd");
$filename = $keyPath . DS . $usedKey . '.ini';
if (!JFile::exists ($filename)) {
$key = self::crypto_rand_secure($size);
vmdebug('create key file ',$size);
$date = JFactory::getDate();
$today = $date->toUnix();
$dat = date("Y-m-d H:i:s");
$content = '
[keys]
key = "'.$key.'"
unixtime = "'.$today.'"
date = "'.$dat.'"
b64 = "0"
size = "'.$size.'"
';
$result = JFile::write($filename, $content);
if($result) chmod($filename,0600);
return array('key'=>$key,'unixtime'=>$today,'date'=>$dat,'b64'=>0,'size'=>$size);
} else {
return false;
}
}
chmod 600 disable download or direct accces to this file.
If chmod 600 give some trouble, then remove the
<?php die(); */
*/?>
because this don't secure the file.