Hi Community,
did see in a signature from a forum moderator the hint < 2.6.10 is insecure. I just take a look at virtuemart.net and found no Information on that Detail or at latest news. Searching the forum for "2.6.10" + "insecure" does not find any other information than this signature: http://forum.virtuemart.net/index.php?topic=118683.msg402445#msg402445
I believe that in the past virtuemart.net was sending emails about new Versions/sr´s for registered users. Maybe this is related to the mail problem and do you strongly recommend to switch to 2.6.10 from 2.6.8b for example?
regards jens
Yeah, I got nothing too. No emails, nothing. I used to get them in the past.
This has not been announced yet, the problem in VM was identified & fixed by our lead developer. It is possible that other Joomla components may have the same issue with Joomla code and could potentially be at risk if the "exploit" became known.
There is now more information here. http://blog.sucuri.net/2014/09/security-advisory-virtuemart-for-joomla.html
And some not so great press here
http://www.pcworld.com/article/2606312/vulnerability-in-popular-joomla-ecommerce-extension-puts-online-shops-at-risk.html (http://www.pcworld.com/article/2606312/vulnerability-in-popular-joomla-ecommerce-extension-puts-online-shops-at-risk.html)
It might be that a patch is required for older shops if possible rather than a full upgrade which could take many people some time to implement especially if they need to test ALL the possible changes
And there are other sites that actually spell out the vulnerability and what a malicious attacker could do to exploit it!
It is great to have an update out there so quickly - but some users will not be able to upgrade quickly - so what can they do to stop the script kiddies killing their business??
It should be possible to implement a patch in older VM2 versions 2.6.8c and lower - it looks like a very small change to one file from what I can make out??
I see a problem in that a patch would reveal where the problem is, and it is an issue with some other components as well, so they would not want the possible exploit known. It's not rocket science to see that there are 68 core files changed between 2.6.8 and 2.6.10 and a similar number of changes in aio packaged files (although many of these will be changes in version numbering). I don't know if there would have to be different patches for the many different versions of VirtueMart.
The only people who will have issues updating from recent versions will be those who have hacked the core - which of course we do not recommend.
I guess it would be better if the actual Joomla code that can lead to this vulnerability were fixed. Securi are looking into this, and J! devs do know about it. https://twitter.com/virtuemart/status/509768667962552320
Jenkin
I agree this is a problem
The security issue I believe is in one file only, but yes, how to get it out there without alerting so many - however what is the business risk to VM when shops start getting hacked.
The bad press alone is not great.
I agree that J devs should sort it out, but users are vulnerable now and we should think about how we mitigate the potential negative impacts.
Regarding people having issues with an upgrade - Please be serious - hacking the core is not the only thing to consider
All stores would need to test the upgrade and any impacts it might have to their live site and any templating overrides. This could take weeks for some users.
If my cursory research is correct, a small patch could be implemented and tested within hours for most sites.
Of course an full VM update is great if possible - its just that when it might not be, VM's reputation could take a spanking
The simple fix for those who have to use it is included in the news release: http://virtuemart.net/news/latest-news/462-security-release-of-vm2-6-10-and-vm2-9-9b
Simples :)
ok, finally a latest News on this and how to patch if you cannot update your vm. take a look here: http://www.virtuemart.net/news/latest-news/462-security-release-of-vm2-6-10-and-vm2-9-9b
regards jens
Hi,
Until we can update all VM can directly copy the file user.php version 2.6.10 to version 2.0.16 overwriting?
or include only the lines indicated?
Thanks
Jose
@Jose M.
Adding the lines is meant as a 'first aid' solution if you can't/don't want update to 2.6.10 or can't use the file copy due to personal customizations. If you have ftp access, I would recommend to just rename the old user.php file to user.php.bak and then upload the new user.php. Very easy to do and takes only one minute. If somthing goes wrong (very unlikely), you can always simply rename the old file again.
(I just added the new user.php to my VM 2.0.26 live site - no problem, everything is still working)
Anyone got a solution for the completely out of date (but still in use) VM 1.1.9
#old school
And save your breath with any "upgrade to VM2" comments please!
@Hutson
Quote from: Hutson on September 13, 2014, 12:53:50 PM
And save your breath with any "upgrade to VM2" comments please!
And how about asking the Joomla guys? ;D If I'm not mistaken, the relevant piece of code has it's origin in Joomla 1.x. and is still being used in J1.5.x But certain Joomla guys reject that Joomla is affected. And if they would admit it, you know the anwer: "Update".
I know this comment doesn't help ;)
JJK
Thank you for the response.
From what I can gather, the joomla guys don't appear to give a fig even with Joomla 2.5
Upgrade, oooohh one day soon we will.
I think that the script kiddies will be spending their time working on exploiting Joomla 2.5 new sites as it will be like shooting fish in a barrel.
Especially if Joomla devs fail to own up to a massive faux pas and fix it immediately - Just imagine how many components are open to this exploit ( very bad Joomla!)
I believe that the exploit still requires the user to sign in as admin after they have raised their permissions and there are a few plugins that help reduce the possibility of admin access for VM1
I am hoping someone will see the way to posting something here that would help the old schooler's using VM 1
How about removing registration?
Yes Jenkin we have considered that. And thanks for the reply
Prefer a fix though as it is not really just about me but all the many users that have still to migrate.
You just need to remove the usertype, instead of isRoot. But yepp, the problem is also there.
VM1.1.9
Confirmed no issue
Thanks Milbo and the devs!!!!!!!!!!
yeh but you could see, that it got also fixed there, because only one file works correct, the other is only for the Backend and therefore dont needed the fix.
Yep - so nothing to change - but you guys did the work to confirm that the front end did not have a security hole.
I a sure you will be inundated with thanks from the VM1.1.9 users that are yet to migrate.
PS if anyone reading this is still on VM1 you should seriously have a plan for migration by now!!
Quote from: Hutson on September 16, 2014, 21:55:33 PM
VM1.1.9
Confirmed no issue
Thanks Milbo and the devs!!!!!!!!!!
I am confused. I don't see any evidence in this thread about VM1.1.9 not being affected by this security vulnerability. Can someone please confirm if that's what Hutson means?
Although vm1.1 also uses a bind the "sensitive" vars are set after this so any "evil" post can't get any further (is reset) .
So vm1.1 front end registration is safe - you can check in the ps_shopper.php
As JJK said
The fields that could create an issue if they were "fiddled" with in POST
Are actually set programmatically AFTER the POST bind process
Effectively wiping out any "fiddled" with sensitive fields