Author Topic: SQL injection Vulnerability in all 1.0 versions of VirtueMart!!!  (Read 42195 times)

Mark Smeed

  • Beginner
  • *
  • Posts: 4
Hi Guys,

I’ve just become aware of a SQL injection Vulnerability in all 1.0 versions of VirtueMart.

The summary of the Vulnerability can be found @ http://docs.joomla.org/Vulnerable_Extensions_List

It would seam that the JED became aware of this on the 7th December 09 and therefore was wondering if this has been addressed?

If not when do you think a fix will be available?

Thanks,

:)

martin77

  • Beginner
  • *
  • Posts: 7
Re: SQL injection Vulnerability in all 1.0 versions of VirtueMart!!!
« Reply #1 on: January 28, 2010, 12:57:53 pm »
Above the list is said, that only the ones in a red box aren't adressed yet, the virtuemart vulnerability isn't in a red box, so I assume it's fixed.

Mark Smeed

  • Beginner
  • *
  • Posts: 4
Re: SQL injection Vulnerability in all 1.0 versions of VirtueMart!!!
« Reply #2 on: January 28, 2010, 13:50:42 pm »
Hi Martin,

Thank you for your post!

If you visit the extensions on the JED you will find that the extension has been unpublished by Joomla! for the following reason: http://extensions.joomla.org/extensions/129/details

Quote
This extension has been unpublished for the following reason: Vulnerable Extensions List - http://docs.joomla.org/http://www.exploit-db.com/exploits/10407_Extensions_List

This is a bit disconcerting, maybe my fear is unjustified however; it would be very helpful to hear from one of the VR developers on this matter if only to set our fears at rest?

To learn more able the SQL Injection vulnerabilities: http://www.exploit-db.com/exploits/10407 & http://www.exploit-db.com/exploits/11271 & http://www.exploit-db.com/exploits/10407

Thanks,

 :)

tomkerswill

  • Beginner
  • *
  • Posts: 2
Re: SQL injection Vulnerability in all 1.0 versions of VirtueMart!!!
« Reply #3 on: January 28, 2010, 16:53:28 pm »
Hi --- this has also been mentioned on the SANS newsletter today, and on:

http://www.securityfocus.com/bid/37963

It doesn't look like there's a fix available at the moment at all... at least not one that is mentioned on Security Focus. Would love to know more details about how this can be patched!

Tom

Milbo

  • Virtuemart Projectleader
  • Administrator
  • Super Hero
  • *
  • Posts: 10070
  • VM3.2 Cached and Optimized
    • VM3 Extensions
  • VirtueMart Version: VirtueMart 3 on joomla 3
Re: SQL injection Vulnerability in all 1.0 versions of VirtueMart!!!
« Reply #4 on: January 28, 2010, 19:32:43 pm »
First:

The vulnerability does not hit the normal virtuemart because it is only accessible via backend. So long there is no multivendor, so long this is not a vulnerability.
This is a minor problem and next thing this is fixed by Thomas for vm1.1.4b, just download the nightly build from 28.1.10.

Cyas da Milbo
I should fix your bug, please support the VirtueMart project and become a member
______________________________________
Extensions approved by the core team: http://extensions.virtuemart.net/

Mark Smeed

  • Beginner
  • *
  • Posts: 4
Re: SQL injection Vulnerability in all 1.0 versions of VirtueMart!!!
« Reply #5 on: January 29, 2010, 10:35:52 am »
Hi Milbo,

Thank you for your reply and for addressing the first reported vulnerability however, there seam to be another vulnerability which can be exploited via the front-end!

The vulnerability seam to be present on the product details pages, which permits the hackers to compromise the system via SQL injection vulnerability.

Please see: http://www.exploit-db.com/exploits/10407 for explanation of the same.

Has this been addressed on the nightly build?

Thanks,

 :)

bass28

  • Jr. Member
  • **
  • Posts: 81
Re: SQL injection Vulnerability in all 1.0 versions of VirtueMart!!!
« Reply #6 on: January 29, 2010, 16:22:30 pm »
We feel we have the backend vulnerability for 1.1.4 corrected.  We are investigating the others reported in 1.0 and hope to have patches shortly.

Milbo

  • Virtuemart Projectleader
  • Administrator
  • Super Hero
  • *
  • Posts: 10070
  • VM3.2 Cached and Optimized
    • VM3 Extensions
  • VirtueMart Version: VirtueMart 3 on joomla 3
Re: SQL injection Vulnerability in all 1.0 versions of VirtueMart!!!
« Reply #7 on: January 29, 2010, 16:41:27 pm »
Please look here

This line fixes the frontend security leak with the product_id
change line 23 in /html/order.order_status_form.php to
$order_status_id =vmrequest::getInt('order_status_id', 0);

Written by zorkhh: The problem was, that the order_status_id parameter was not checked correctly and accepted strings where only integers should be allowed. This way the injection could happen. Now it makes sure that the variable can contain only integers.

This should help, the changes are already in the svn, we will release a patch soon.
I should fix your bug, please support the VirtueMart project and become a member
______________________________________
Extensions approved by the core team: http://extensions.virtuemart.net/

David-Andrew

  • Jr. Member
  • **
  • Posts: 76
    • Chill Creations
Re: SQL injection Vulnerability in all 1.0 versions of VirtueMart!!!
« Reply #8 on: January 29, 2010, 16:46:00 pm »
Doing great work guys, keep it up!

iDEAL for Virtuemart 3
http://www.chillcreations.com/joomla-extensions/ccideal-platform-ideal-for-joomla

Also supports Rabo OmniKassa and other payment providers, and older Virtuemart versions!

zorkhh

  • Advanced
  • Jr. Member
  • *****
  • Posts: 245
    • vm-expert.com
Re: SQL injection Vulnerability in all 1.0 versions of VirtueMart!!!
« Reply #9 on: January 29, 2010, 16:54:38 pm »
Hi,

you should check vm-expert.com more often  ::)

We have published this solution here after we have updated the SVN: http://www.vm-expert.com/virtuemart-expert-blog/82-security-fix-for-vm-114

Cheers,

Thomas
Virtuemart Professional Support at http://www.vm-expert.com

Visit the large Virtuemart Group on Joomla.org: http://people.joomla.org/groups/viewgroup/30-Virtuemart.html

bsavic

  • Beginner
  • *
  • Posts: 1
Re: SQL injection Vulnerability in all 1.0 versions of VirtueMart!!!
« Reply #10 on: January 29, 2010, 20:45:12 pm »
Hi Everyone,

I could not recreate this issue on a site with VirtueMart 1.0.15., server have magic quotes enabled.

Is this because magic quotes? What do you think?

Thanks


zorkhh

  • Advanced
  • Jr. Member
  • *****
  • Posts: 245
    • vm-expert.com
Re: SQL injection Vulnerability in all 1.0 versions of VirtueMart!!!
« Reply #11 on: January 29, 2010, 20:51:27 pm »
Be careful with the versions! The last post where VM 1.1.4 related...

Thomas
Virtuemart Professional Support at http://www.vm-expert.com

Visit the large Virtuemart Group on Joomla.org: http://people.joomla.org/groups/viewgroup/30-Virtuemart.html

bass28

  • Jr. Member
  • **
  • Posts: 81
Re: SQL injection Vulnerability in all 1.0 versions of VirtueMart!!!
« Reply #12 on: January 30, 2010, 03:29:50 am »
I added files to SVN for both 1.0.15 and 1.1.4 which should eliminate the SQL injections that have been reported.  If anyone comes across anymore let us know.

I will post patched files on the site for download soon.

bass28

  • Jr. Member
  • **
  • Posts: 81
Re: SQL injection Vulnerability in all 1.0 versions of VirtueMart!!!
« Reply #13 on: January 30, 2010, 16:05:37 pm »
Here are the patch files for 1.0.15 and 1.1.4.  Just extract them into your Joomla root folder.  The first part of the filename indicates the version. ;)

[attachment cleanup by admin]

tomkerswill

  • Beginner
  • *
  • Posts: 2
Re: SQL injection Vulnerability in all 1.0 versions of VirtueMart!!!
« Reply #14 on: February 02, 2010, 17:28:42 pm »
Ah great - thanks so much for the quick action and fix. Am finding virtuemart to be really excellent!
Tom