SQL injection Vulnerability in all 1.0 versions of VirtueMart!!!

[Mark Smeed]

Hi Guys,

I’ve just become aware of a SQL injection Vulnerability in all 1.0 versions of VirtueMart.

The summary of the Vulnerability can be found @ http://docs.joomla.org/Vulnerable_Extensions_List

It would seam that the JED became aware of this on the 7th December 09 and therefore was wondering if this has been addressed?

If not when do you think a fix will be available?

Thanks,

[martin77]

Above the list is said, that only the ones in a red box aren't adressed yet, the virtuemart vulnerability isn't in a red box, so I assume it's fixed.

[Mark Smeed]

Hi Martin,

Thank you for your post!

If you visit the extensions on the JED you will find that the extension has been unpublished by Joomla! for the following reason: http://extensions.joomla.org/extensions/129/details

This extension has been unpublished for the following reason: Vulnerable Extensions List - http://docs.joomla.org/http://www.exploit-db.com/exploits/10407_Extensions_List

This is a bit disconcerting, maybe my fear is unjustified however; it would be very helpful to hear from one of the VR developers on this matter if only to set our fears at rest?

To learn more able the SQL Injection vulnerabilities: http://www.exploit-db.com/exploits/10407 & http://www.exploit-db.com/exploits/11271 & http://www.exploit-db.com/exploits/10407

Thanks,

 

[tomkerswill]

Hi --- this has also been mentioned on the SANS newsletter today, and on:

http://www.securityfocus.com/bid/37963

It doesn't look like there's a fix available at the moment at all... at least not one that is mentioned on Security Focus. Would love to know more details about how this can be patched!

Tom

[Milbo]

First:

The vulnerability does not hit the normal virtuemart because it is only accessible via backend. So long there is no multivendor, so long this is not a vulnerability.
This is a minor problem and next thing this is fixed by Thomas for vm1.1.4b, just download the nightly build from 28.1.10.

Cyas da Milbo

[Mark Smeed]

Hi Milbo,

Thank you for your reply and for addressing the first reported vulnerability however, there seam to be another vulnerability which can be exploited via the front-end!

The vulnerability seam to be present on the product details pages, which permits the hackers to compromise the system via SQL injection vulnerability.

Please see: http://www.exploit-db.com/exploits/10407 for explanation of the same.

Has this been addressed on the nightly build?

Thanks,

 

[bass28]

We feel we have the backend vulnerability for 1.1.4 corrected.  We are investigating the others reported in 1.0 and hope to have patches shortly.

[Milbo]

Please look here

This line fixes the frontend security leak with the product_id
change line 23 in /html/order.order_status_form.php to
$order_status_id =vmrequest::getInt('order_status_id', 0);

Written by zorkhh: The problem was, that the order_status_id parameter was not checked correctly and accepted strings where only integers should be allowed. This way the injection could happen. Now it makes sure that the variable can contain only integers.

This should help, the changes are already in the svn, we will release a patch soon.

[David-Andrew]

Doing great work guys, keep it up!

[zorkhh]

Hi,

you should check vm-expert.com more often 

We have published this solution here after we have updated the SVN: http://www.vm-expert.com/virtuemart-expert-blog/82-security-fix-for-vm-114

Cheers,

Thomas

[bsavic]

Hi Everyone,

I could not recreate this issue on a site with VirtueMart 1.0.15., server have magic quotes enabled.

Is this because magic quotes? What do you think?

Thanks

[zorkhh]

Be careful with the versions! The last post where VM 1.1.4 related...

Thomas

[bass28]

I added files to SVN for both 1.0.15 and 1.1.4 which should eliminate the SQL injections that have been reported.  If anyone comes across anymore let us know.

I will post patched files on the site for download soon.

[bass28]

Here are the patch files for 1.0.15 and 1.1.4.  Just extract them into your Joomla root folder.  The first part of the filename indicates the version.

[attachment cleanup by admin]

[tomkerswill]

Ah great - thanks so much for the quick action and fix. Am finding virtuemart to be really excellent!
Tom