The shop.product_details exploit mentioned above on exploit-db.com does not affect my site running VM 1.0.14.
Regarding the shop.product_details exploit, I posted this earlier to the News section of the VM website when the forum was down:
Shemzone already pointed out the additional code in shop.product_details.php added to try to fix this bug:
// Check for non-numeric product id
if (!empty($product_id)) {
if (!is_numeric($product_id)) {
$product_id = '';
}
}
BUT $product_id is already forced to be an integer just a couple lines earlier:
$product_id = intval( mosgetparam($_REQUEST, "product_id", null) );
It doesn't look like the new code prevents any SQL injection via $product_id because no SQL injection was possible before.
Can anyone here confirm that the exploit is for real?
How does the newly added code fix the problem if it is for real?