Author Topic: bug in media upload from admin end  (Read 264 times)

kailash745

  • Beginner
  • *
  • Posts: 2
  • A developer
  • Skype Name: kailash
  • VirtueMart Version: 3.2.1
bug in media upload from admin end
« on: September 21, 2017, 15:42:28 pm »
Regarding the stored XSS (cross-site scripting) vulnerability found in  "Virtuemart " because of improper validation of user input. Kindly fix this issue asap and do review the code of other fields too in the application. 

Vulnerability Risks : Hijacking another user's browser ; Pseudo defacement of the application ; Directed delivery of browser-based exploits  and many more.

NOTE : Please fix both the reported issues asap (XSS and unrestricted file upload). As, in the past because of these vulnerabilities were completely defaced by the attackers.


step1: goto virtuemart product/category in back end
step2: click on upload image section
step3: upload any file even script file also uploaded (.php)

franzpeter

  • 3rd party VirtueMart Developer
  • Jr. Member
  • *
  • Posts: 465
    • 2in1-online | Software, Mac, PC, Netzwerk, Drucker, Pad, Display
  • VirtueMart Version: Virtuemart 3.2.6
Re: bug in media upload from admin end
« Reply #1 on: September 21, 2017, 17:10:02 pm »
Do you mean that for serious? How do you want to sell downloadable products like extensions or other things from a shop? Those files need to get stored somehow. It is your decision, what you upload in Backend via Media manager. You are the shop owner.

AH

  • Global Moderator
  • Sr. Member
  • *
  • Posts: 2640
  • VirtueMart Version: 3.2.8
Re: bug in media upload from admin end
« Reply #2 on: September 21, 2017, 17:17:49 pm »
How did the "attackers" get access to your admin area?

This seems nonsense to "blame" vm

Surely they could have just done FTP also.
regards
A

Joomla 3.8.3
php 5.6 + php 7

Milbo

  • Virtuemart Projectleader
  • Administrator
  • Super Hero
  • *
  • Posts: 9415
  • VM3.2 Cached and Optimized
    • VM3 Extensions
  • VirtueMart Version: VirtueMart 3 on joomla 3
Re: bug in media upload from admin end
« Reply #3 on: September 21, 2017, 17:35:32 pm »
kailash745 it is a matter of permission.

We have two permissions for this matter. In English they are called

"Allow all kind of files, instead of only images and safe types"
"Media potential trusted"

The first is the vm filter, which just checks for filetypes. This is necessary, when you want to sell zips containing php. The second is the joomla filter. Both rights should be set to allowed for Superadministrators. But of course they should be set to "not allowed" for non admins.

So I dont see a security issue here. When a shop allows users to upload media in vm, it is a multivendorshop and the rights should be set correctly, of course. When the shop allows to upload media for a product, then these are 3rd party products. They may use our upload, when they do it, as long the rights are set correctly, anything should be safe.

When you install a fresh store, the rigts are set correctly, so I dont see a problem here.
I should fix your bug, please support the VirtueMart project and become a member
______________________________________
Extensions approved by the core team: http://extensions.virtuemart.net/