Security audit failed on VM 3.0.10.

[ptrouw]

Hi,

Last week I had an security audit on my website,  J3.4.4 and VM 3.0.10. We have to comply to Dutch eshop certification standard. Audit is done by independent Auditor.
And unfortunately it failed. Mainly WASC-8 Cross-Site Scripting and WASC-19 SQL Injection.
Any idea how to proceed?
I have a detailed confidential report, if that is helpful?

[jenkinhill]

Is it this?  Every Joomla user is recommended to update on Thursday:  https://www.joomla.org/announcements/release-news/5633-important-security-announcement-pre-release.html

Check after that, but VM3.0.10 has already been superceded by 3.0.11, for testing on backups first.

[ptrouw]

thx for the very quick response.

Yes I assume it could be j3.4.4. But how can I know for sure?

I can only ask for 1 rescan, and if it fails again, we loss our certificate for one year!

Is 3.0.11 bringing new security improvements?

[Milbo]

yes! one sql injection, mainly harmless, because only possible with superadmin rights and one XSS

[ptrouw]

So any thoughts on going forward?

[jjk]

We have to comply to Dutch eshop certification standard. Audit is done by independent Auditor.
And unfortunately it failed. Mainly WASC-8 Cross-Site Scripting and WASC-19 SQL Injection.

I'm just curious - do you have a link to the 'Dutch eshop certification standard'? Can't find that using Google search.
Also I would expect that a security auditor's report includes a description stating which extension is vulnerable as well as the exact vulnerability. Could be an extension using Flash for example...

[Milbo]

So any thoughts on going forward?

yes download vm3.0.11

[ptrouw]

Does 3.0.11 have improvement stopping cross scripting and sql injection?

I just got an update by Yireo a Joomla Developers Company in Holland, they suggest on a normal Joomla installation to to install a free sql iniection/lfi protection plugin for joomla (http://www.mmleoni.net/sql-iniection-lfi-protection-plugin-for-joomla),

Has anybody experience with this in a VM environment?

Just replying to jjk to what standards they are certifying. They use the OWASP Top 10 list. And no, there where no other extensions causing problems!

[balai]

If you can pm me that report i would be grateful.
This is quite serious

[GJC Web Design]

re: 

I just got an update by Yireo a Joomla Developers Company in Holland, they suggest on a normal Joomla installation to to install a free sql iniection/lfi protection plugin for joomla (http://www.mmleoni.net/sql-iniection-lfi-protection-plugin-for-joomla),

I have this installed especially on older J1.5 sites and seems to catch an amazing number of attempts..

I had email notifications of attempts on and often received 100's of emails in a space of an hour notifying of blocked inject attempts

[Milbo]

Does 3.0.11 have improvement stopping cross scripting and sql injection?

yes! one sql injection, mainly harmless, because only possible with superadmin rights and one XSS

Please read my answer. Check my position, read my answer again.

So any thoughts on going forward?

yes download vm3.0.11

http://dev.virtuemart.net/attachments/download/974/com_virtuemart.3.0.11_extract_first.zip

[Milbo]

If you can pm me that report i would be grateful.
This is quite serious

I am sorry, Balai, actually the right address is me. I am quite sure I got this audit already some weeks ago and vm3.0.11 is already with the fixes and vm2.6.30 will have 2 of them also. Btw, all of this was announced by me in the internal chat, as far as i know.

[balai]

Fine Max
I was intending to speed up the the recognition and fixing of these issues.
Hope to have some good news about that soon