Author Topic: Everybody can add product in the frontend  (Read 998 times)

glenanpl

  • Beginner
  • *
  • Posts: 11
  • A beginner
Everybody can add product in the frontend
« on: November 12, 2016, 17:18:24 pm »
Hi
With Joomla 3.6.4 and Virtuemart 3.0.18, everybody can add product in the frontend!
For Public, Guest and Registred ACL for “not allow”.
In /components/com_virtuemart/views/virtuemart/tmpl, in file default.php, I add a # to not have the icon in the frontend
# echo $this->add_product_link;
But II like to know if there is another possibility
Regards

Studio 42

  • Contributing Developer
  • Full Member
  • *
  • Posts: 2182
  • Joomla & Virtuemart addon developper
    • Studio 42 - Virtuemart & Joomla extentions
  • VirtueMart Version: 2.6 & 3.0.x.y
Re: Everybody can add product in the frontend
« Reply #1 on: November 12, 2016, 17:22:02 pm »
Was your website hacked before Joomla security fix ?
CHeck your perm settigns for Virtumart using YOURSITE/administrator/index.php?option=com_config&view=component&component=com_virtuemart, if all is right set.

Milbo

  • Virtuemart Projectleader
  • Administrator
  • Super Hero
  • *
  • Posts: 9327
  • VM3.2 Cached and Optimized
    • VM3 Extensions
  • VirtueMart Version: VirtueMart 3 on joomla 3
Re: Everybody can add product in the frontend
« Reply #2 on: November 12, 2016, 17:38:25 pm »
to hide it, does not preven that someone may misuse it. We had that lately quite often and I think it is connected to the last joomla hack.
I should fix your bug, please support the VirtueMart project and become a member
______________________________________
Extensions approved by the core team: http://extensions.virtuemart.net/

glenanpl

  • Beginner
  • *
  • Posts: 11
  • A beginner
Re: Everybody can add product in the frontend
« Reply #3 on: December 24, 2016, 19:07:53 pm »
OK!
is it possible to activate desactivate the frontoffice for everybody
regard

AH

  • Global Moderator
  • Sr. Member
  • *
  • Posts: 2585
  • VirtueMart Version: 3.2.4
Re: Everybody can add product in the frontend
« Reply #4 on: December 25, 2016, 10:01:11 am »
check if you have been hacked first

then decide on what you do next

deactivating front office is no use if you are hacked
regards
A

Joomla 3.7.4
php 5.6 + php 7

glenanpl

  • Beginner
  • *
  • Posts: 11
  • A beginner
Re: Everybody can add product in the frontend
« Reply #5 on: December 27, 2016, 22:08:24 pm »
Hi,
My question is not ”My site have been hack?”
But
How “disactivate VIRTUEMART Frontend acces?”
Regards

The second level question is : there is a backdoor (or more) in virtuemart?

GJC Web Design

  • 3rd party VirtueMart Developer
  • Super Hero
  • *
  • Posts: 7530
  • Virtuemart, Joomla & php developer
    • GJC Web Design
  • VirtueMart Version: 2.6.22 & 3.2.2
Re: Everybody can add product in the frontend
« Reply #6 on: December 27, 2016, 22:44:43 pm »
Quote
For Public, Guest and Registred ACL for “not allow”.

which u already have..  I have seen one other site like this and I can only assume it was a malicious setting by a hacker

Found the solution by carefully comparing the ACL setup between a fresh install and the problem one .. and it was only config
GJC Web Design
VirtueMart and Joomla Developers - php developers http://www.gjcwebdesign.com
VM3 AusPost Shipping Plugin - e-go Shipping Plugin - VM3 Postcode Shipping Plugin - Radius Shipping Plugin - VM3 NZ Post Shipping Plugin - AusPost Estimator
Samport Payment Plugin - EcomMerchant Payment Plugin - ccBill payment Plugin
VM2 Product Lock Extension - VM2 Preconfig Adresses Extension - TaxCloud USA Taxes Plugin - Virtuemart  Product Review Component
http://extensions.joomla.org/profile/profile/details/67210
Contact for any VirtueMart or Joomla development & customisation

Studio 42

  • Contributing Developer
  • Full Member
  • *
  • Posts: 2182
  • Joomla & Virtuemart addon developper
    • Studio 42 - Virtuemart & Joomla extentions
  • VirtueMart Version: 2.6 & 3.0.x.y
Re: Everybody can add product in the frontend
« Reply #7 on: December 27, 2016, 23:39:11 pm »
The simplest hack is to modify file JOOMLAROOTt\components\com_virtuemart\virtuemart.php :
Code: [Select]
if ( shopFunctionsF::isFEmanager() ) {to
Code: [Select]
if ( 1===0 ) {

glenanpl

  • Beginner
  • *
  • Posts: 11
  • A beginner
Re: Everybody can add product in the frontend
« Reply #8 on: December 28, 2016, 16:50:31 pm »
Hi
I test the solution of Studio 42
Was it possible to change the parameter of isFEmanager() that is less brutal than 1===0 ;-)
For the ACL all is Not Allowed (inherent) for Public, Guest, Registred, Author, Redactot, Editor !
Regards

Studio 42

  • Contributing Developer
  • Full Member
  • *
  • Posts: 2182
  • Joomla & Virtuemart addon developper
    • Studio 42 - Virtuemart & Joomla extentions
  • VirtueMart Version: 2.6 & 3.0.x.y
Re: Everybody can add product in the frontend
« Reply #9 on: December 28, 2016, 18:27:33 pm »
OK!
is it possible to activate desactivate the frontoffice for everybody
regard
This is a safe way, if your site is hacked, this stop any front editing. So if you add .htpassword to admin, no hacker can acces your shop with a backdoor.
All aother way was explained by other but you said, you want completly disable front acces to VM.