SQL injection Vulnerability in all 1.0 versions of VirtueMart!!!

[Soeren]

Thanks again for the quick fixes.
I have published a news article here: http://virtuemart.net/news/list-all-news/366
The security bulletin can be found here: http://virtuemart.net/security-bulletins/365-vm-security-bulletin-2010-01-30

ciao, Sören

[virtoom]

Thanks a lot! If I download a fresh copy of VirtueMart, I don't need the patch I suppose?

Thanks in advance,

V.

[Simon A.]

The shop.product_details exploit mentioned above on exploit-db.com does not affect my site running VM 1.0.14.

Regarding the shop.product_details  exploit, I posted this earlier to the News section of the VM website when the forum was down:

Shemzone already pointed out the additional code in shop.product_details.php added to try to fix this bug:

Code: [Select]

 
  // Check for non-numeric product id
    if (!empty($product_id)) {
     if (!is_numeric($product_id)) {
      $product_id = '';
     }
    }



BUT $product_id is already forced to be an integer just a couple lines earlier:

Code: [Select]


    $product_id = intval( mosgetparam($_REQUEST, "product_id", null) );


It doesn't look like the new code prevents any SQL injection via $product_id because no SQL injection was possible before.

Can anyone here confirm that the exploit is for real?

 How does the newly added code fix the problem if it is for real?

[nedge2k]

Hi Milbo,

Thank you for your reply and for addressing the first reported vulnerability however, there seam to be another vulnerability which can be exploited via the front-end!

The vulnerability seam to be present on the product details pages, which permits the hackers to compromise the system via SQL injection vulnerability.

Please see: http://www.exploit-db.com/exploits/10407 for explanation of the same.

Has this been addressed on the nightly build?

Thanks,

 

Are any of the admins going to address this? Or is it in the patch already?

FWIW, I just had a look at my html/shop.product_details (VM 1.1.14) and amended the following as per the backend fix:

Code: [Select]

Line 35
//$product_id = intval( vmGet($_REQUEST, "product_id", null) );
$product_id = vmrequest::getInt('product_id', 0);
//$category_id = vmGet($_REQUEST, "category_id", null);
$product_id = vmrequest::getInt('category_id', 0);
//$manufacturer_id = vmGet($_REQUEST, "manufacturer_id", null);
$manufacturer_id = vmrequest::getInt('manufacturer_id', 0);
(original code //commented out)

I know it's supposed to be a 1.0 glitch but it looks like the category and manufacturer id's could be vulnerable in 1.1?

[xnsjay]

very good..

[korij]

I just downloaded virtuemart april 1, have the patches for 1.1.4 already been intergrated or should I still apply them?

[felixp]

We're running version 1.1.3. Does this apply to us as well? And if it does, is there a place to see the changes/updates so we could apply them manually. Thank you!

[scanreg]

I just downloaded virtuemart april 1, have the patches for 1.1.4 already been intergrated or should I still apply them?

Same concern here

[sled10]

I extracted the vm114 file and your instructions say to place it in my Joomla root folder, but I already have a folder called administrator. Do you want me to overwrite the whole administrator folder or just upload the two individual files that are inside the html folder ? thanks for the clarification.