Author Topic: security vulnerability in vmbeez3 template  (Read 484 times)

jdraper

  • 3rd party VirtueMart Developer
  • Beginner
  • *
  • Posts: 13
security vulnerability in vmbeez3 template
« on: February 05, 2020, 19:06:35 pm »
This is from my host A2Hosting.  I get these periodically and note that they are calling out a security issue with the vmbeez3 template.

****************************************************
We recently sent you an email regarding vulnerabilities detected on your domain(s) mayach.com hosted on a2ss29.a2hosting.com. As promised in our previous email, we have gone ahead and applied patches to fix the following vulnerabilities:

Information disclosure vulnerability in Joomla
/home/mayachco/public_html/a914/templates/vmbeez3/html/com_content/article/default.php


Information disclosure vulnerability in Joomla
/home/mayachco/public_html/a914/templates/vmbeez3/jsstrings.php


Click here to learn more about our perpetual security scans: https://www.a2hosting.com/kb/cpanel/advanced-features/patchman

Best Regards,

The A2 Hosting Support Team
**********************************************************************************************
   
   

jdraper

  • 3rd party VirtueMart Developer
  • Beginner
  • *
  • Posts: 13
Re: security vulnerability in vmbeez3 template
« Reply #1 on: February 05, 2020, 19:30:02 pm »
Compared new install of virtuemart from today with the change that A2Hosting made to the two template files (attached).

Information disclosure vulnerability in Joomla
/home/mayachco/public_html/a914/templates/vmbeez3/html/com_content/article/default.php

added line 16
added lines 172-205

Information disclosure vulnerability in Joomla
/home/mayachco/public_html/a914/templates/vmbeez3/jsstrings.php

added lines 10-12

jdraper

  • 3rd party VirtueMart Developer
  • Beginner
  • *
  • Posts: 13
Re: security vulnerability in vmbeez3 template
« Reply #2 on: February 05, 2020, 19:31:18 pm »
renamed the .php files to .txt in order to upload to this forum.

J

pinochico

  • 3rd party VirtueMart Developer
  • Jr. Member
  • *
  • Posts: 400
    • MiniJoomla
  • VirtueMart Version: 3
Re: security vulnerability in vmbeez3 template
« Reply #3 on: February 05, 2020, 19:43:48 pm »
The files are not vulnerable.

www.minijoomla.org  - new portal for Joomla!, Virtuemart and other extensions
XML Easy Feeder - feeds from products, orders and database table
Virtuemart Email Manager - customs email templates

jdraper

  • 3rd party VirtueMart Developer
  • Beginner
  • *
  • Posts: 13
Re: security vulnerability in vmbeez3 template
« Reply #4 on: February 05, 2020, 19:49:20 pm »
Any idea why they were flagged and are the changes acceptable?

Milbo

  • Virtuemart Projectleader
  • Administrator
  • Super Hero
  • *
  • Posts: 10040
  • VM3.2 Cached and Optimized
    • VM3 Extensions
  • VirtueMart Version: VirtueMart 3 on joomla 3
Re: security vulnerability in vmbeez3 template
« Reply #5 on: February 06, 2020, 20:50:36 pm »
One files has this block that you cant load it without the joomla context, but there is no important stuff in it, just language. The other file got a feature some month later which created a data leak, but we the feature was not in the file, so it is not vulnerable. But I used this occasion to update the vmbeez3 with the latest files of beez3.
I should fix your bug, please support the VirtueMart project and become a member
______________________________________
Extensions approved by the core team: http://extensions.virtuemart.net/