News:

You may pay someone to create your store, or you visit our seminar and become a professional yourself with the silver certification

Main Menu

Security audit failed on VM 3.0.10.

Started by ptrouw, October 20, 2015, 17:35:55 PM

Previous topic - Next topic

ptrouw

Hi,

Last week I had an security audit on my website,  J3.4.4 and VM 3.0.10. We have to comply to Dutch eshop certification standard. Audit is done by independent Auditor.
And unfortunately it failed. Mainly WASC-8 Cross-Site Scripting and WASC-19 SQL Injection.
Any idea how to proceed?
I have a detailed confidential report, if that is helpful?

jenkinhill

Is it this?  Every Joomla user is recommended to update on Thursday:  https://www.joomla.org/announcements/release-news/5633-important-security-announcement-pre-release.html

Check after that, but VM3.0.10 has already been superceded by 3.0.11, for testing on backups first.
Kelvyn
Lowestoft, Suffolk, UK

Retired from forum life November 2023

Please mention your VirtueMart, Joomla and PHP versions when asking a question in this forum

ptrouw

thx for the very quick response.

Yes I assume it could be j3.4.4. But how can I know for sure?

I can only ask for 1 rescan, and if it fails again, we loss our certificate for one year!

Is 3.0.11 bringing new security improvements?

Milbo

yes! one sql injection, mainly harmless, because only possible with superadmin rights and one XSS
Should I fix your bug, please support the VirtueMart project and become a member
______________________________________
Extensions approved by the core team: http://extensions.virtuemart.net/

ptrouw


jjk

Quote from: ptrouw on October 20, 2015, 17:35:55 PM
We have to comply to Dutch eshop certification standard. Audit is done by independent Auditor.
And unfortunately it failed. Mainly WASC-8 Cross-Site Scripting and WASC-19 SQL Injection.

I'm just curious - do you have a link to the 'Dutch eshop certification standard'? Can't find that using Google search.
Also I would expect that a security auditor's report includes a description stating which extension is vulnerable as well as the exact vulnerability. Could be an extension using Flash for example...
Non-English Shops: Are your language files up to date?
http://virtuemart.net/community/translations

Milbo

Should I fix your bug, please support the VirtueMart project and become a member
______________________________________
Extensions approved by the core team: http://extensions.virtuemart.net/

ptrouw

Does 3.0.11 have improvement stopping cross scripting and sql injection?

I just got an update by Yireo a Joomla Developers Company in Holland, they suggest on a normal Joomla installation to to install a free sql iniection/lfi protection plugin for joomla (http://www.mmleoni.net/sql-iniection-lfi-protection-plugin-for-joomla),

Has anybody experience with this in a VM environment?

Just replying to jjk to what standards they are certifying. They use the OWASP Top 10 list. And no, there where no other extensions causing problems!

balai

If you can pm me that report i would be grateful.
This is quite serious

GJC Web Design

re: 
QuoteI just got an update by Yireo a Joomla Developers Company in Holland, they suggest on a normal Joomla installation to to install a free sql iniection/lfi protection plugin for joomla (http://www.mmleoni.net/sql-iniection-lfi-protection-plugin-for-joomla),

I have this installed especially on older J1.5 sites and seems to catch an amazing number of attempts..

I had email notifications of attempts on and often received 100's of emails in a space of an hour notifying of blocked inject attempts
GJC Web Design
VirtueMart and Joomla Developers - php developers https://www.gjcwebdesign.com
VM4 AusPost Shipping Plugin - e-go Shipping Plugin - VM4 Postcode Shipping Plugin - Radius Shipping Plugin - VM4 NZ Post Shipping Plugin - AusPost Estimator
Samport Payment Plugin - EcomMerchant Payment Plugin - ccBill payment Plugin
VM2 Product Lock Extension - VM2 Preconfig Adresses Extension - TaxCloud USA Taxes Plugin - Virtuemart  Product Review Component
https://extensions.joomla.org/profile/profile/details/67210
Contact for any VirtueMart or Joomla development & customisation

Milbo

Quote from: ptrouw on October 21, 2015, 09:03:07 AM
Does 3.0.11 have improvement stopping cross scripting and sql injection?

Quote from: Milbo on October 20, 2015, 18:06:46 PM
yes! one sql injection, mainly harmless, because only possible with superadmin rights and one XSS

Please read my answer. Check my position, read my answer again.

Quote from: Milbo on October 21, 2015, 00:18:07 AM
Quote from: ptrouw on October 20, 2015, 18:17:56 PM
So any thoughts on going forward?

yes download vm3.0.11
http://dev.virtuemart.net/attachments/download/974/com_virtuemart.3.0.11_extract_first.zip
Should I fix your bug, please support the VirtueMart project and become a member
______________________________________
Extensions approved by the core team: http://extensions.virtuemart.net/

Milbo

Quote from: balai on October 21, 2015, 10:58:17 AM
If you can pm me that report i would be grateful.
This is quite serious

I am sorry, Balai, actually the right address is me. I am quite sure I got this audit already some weeks ago and vm3.0.11 is already with the fixes and vm2.6.30 will have 2 of them also. Btw, all of this was announced by me in the internal chat, as far as i know.
Should I fix your bug, please support the VirtueMart project and become a member
______________________________________
Extensions approved by the core team: http://extensions.virtuemart.net/

balai

Fine Max
I was intending to speed up the the recognition and fixing of these issues.
Hope to have some good news about that soon