Author Topic: SQL injection Vulnerability in all 1.0 versions of VirtueMart!!!  (Read 43234 times)

Soeren

  • Administrator
  • Sr. Member
  • *
  • Posts: 3106
  • VirtueMart Starter
    • virtuemart.net
Re: SQL injection Vulnerability in all 1.0 versions of VirtueMart!!!
« Reply #15 on: February 03, 2010, 10:53:54 am »
Thanks again for the quick fixes.
I have published a news article here: http://virtuemart.net/news/list-all-news/366
The security bulletin can be found here: http://virtuemart.net/security-bulletins/365-vm-security-bulletin-2010-01-30

ciao, Sören
The future of eCommerce: VirtueMart & Joomla!
http://virtuemart.net

virtoom

  • Beginner
  • *
  • Posts: 8
Re: SQL injection Vulnerability in all 1.0 versions of VirtueMart!!!
« Reply #16 on: February 07, 2010, 13:40:16 pm »
Thanks a lot! If I download a fresh copy of VirtueMart, I don't need the patch I suppose?

Thanks in advance,

V.

Simon A.

  • Jr. Member
  • **
  • Posts: 336
    • Tinyplanet
The fix for nothing?
« Reply #17 on: February 11, 2010, 17:34:14 pm »
The shop.product_details exploit mentioned above on exploit-db.com does not affect my site running VM 1.0.14.

Regarding the shop.product_details  exploit, I posted this earlier to the News section of the VM website when the forum was down:

Shemzone already pointed out the additional code in shop.product_details.php added to try to fix this bug:

Code: [Select]
 
  // Check for non-numeric product id
    if (!empty($product_id)) {
     if (!is_numeric($product_id)) {
      $product_id = '';
     }
    }



BUT $product_id is already forced to be an integer just a couple lines earlier:

Code: [Select]

    $product_id = intval( mosgetparam($_REQUEST, "product_id", null) );


It doesn't look like the new code prevents any SQL injection via $product_id because no SQL injection was possible before.

Can anyone here confirm that the exploit is for real?

 How does the newly added code fix the problem if it is for real?

nedge2k

  • Beginner
  • *
  • Posts: 19
Re: SQL injection Vulnerability in all 1.0 versions of VirtueMart!!!
« Reply #18 on: February 12, 2010, 16:34:10 pm »
Hi Milbo,

Thank you for your reply and for addressing the first reported vulnerability however, there seam to be another vulnerability which can be exploited via the front-end!

The vulnerability seam to be present on the product details pages, which permits the hackers to compromise the system via SQL injection vulnerability.

Please see: http://www.exploit-db.com/exploits/10407 for explanation of the same.

Has this been addressed on the nightly build?

Thanks,

 :)


Are any of the admins going to address this? Or is it in the patch already?

FWIW, I just had a look at my html/shop.product_details (VM 1.1.14) and amended the following as per the backend fix:
Code: [Select]
Line 35
//$product_id = intval( vmGet($_REQUEST, "product_id", null) );
$product_id = vmrequest::getInt('product_id', 0);
//$category_id = vmGet($_REQUEST, "category_id", null);
$product_id = vmrequest::getInt('category_id', 0);
//$manufacturer_id = vmGet($_REQUEST, "manufacturer_id", null);
$manufacturer_id = vmrequest::getInt('manufacturer_id', 0);

(original code //commented out)

I know it's supposed to be a 1.0 glitch but it looks like the category and manufacturer id's could be vulnerable in 1.1?


korij

  • Beginner
  • *
  • Posts: 4
Re: SQL injection Vulnerability in all 1.0 versions of VirtueMart!!!
« Reply #20 on: April 11, 2010, 07:10:13 am »
I just downloaded virtuemart april 1, have the patches for 1.1.4 already been intergrated or should I still apply them?

felixp

  • Jr. Member
  • **
  • Posts: 192
    • FMCA
Re: SQL injection Vulnerability in all 1.0 versions of VirtueMart!!!
« Reply #21 on: April 29, 2010, 21:16:30 pm »
We're running version 1.1.3. Does this apply to us as well? And if it does, is there a place to see the changes/updates so we could apply them manually. Thank you!
Joomla - 1.5.6
VirtueMart - 1.1.3

scanreg

  • Beginner
  • *
  • Posts: 18
Re: SQL injection Vulnerability in all 1.0 versions of VirtueMart!!!
« Reply #22 on: June 04, 2010, 15:14:30 pm »
I just downloaded virtuemart april 1, have the patches for 1.1.4 already been intergrated or should I still apply them?

Same concern here

sled10

  • Beginner
  • *
  • Posts: 3
Re: SQL injection Vulnerability in all 1.0 versions of VirtueMart!!!
« Reply #23 on: July 13, 2010, 18:51:25 pm »
I extracted the vm114 file and your instructions say to place it in my Joomla root folder, but I already have a folder called administrator. Do you want me to overwrite the whole administrator folder or just upload the two individual files that are inside the html folder ? thanks for the clarification.