Hope someone can point me in the right direction, we just had an audit on vm3.0.4 and failed. There were quite a few security problems, Cross-Site Scripting (XSS) Vulnerabilities and Path Disclosure.
I contacted Nicholas, Director of Akeeba, because they provide a very good Joomla firewall product. But he states although the firewall can stop these attacks, the problem should be fixed within VM.
I read something about security fixes in 3.0.8. Would the solve the attacks below?
[Examples removed for security reasons]
Did you not understand the news about the security release? http://virtuemart.net/news/latest-news/469-security-release-vm3-0-8
yepp, all fixed and also explained. Actually if payload is a 3rd party plugin, I dont know. Maybe it is fixed by the others, but more likely it is a problem with the plugin of payload.
And btw, next time I would recommend
First: If you did a security audit, it is important to know the name of the security company.
Second: You should not publish the examples in the public, for your own security.
Third: If you really want help for security problem, you should write privately your concerns
4th: I wonder why you ask Nicholas first and not here.
5th: Most logical way to solve the problem is to ask the security company to talk with us.
VM 2.5.18 is also affected?
thanks
greetings
Jose
No. If it was there would already have been a security release for that. And I assume you mean 2.6.18 - there never was a 2.5.18
Hi!
I'm sorry, yes, 2.6.18.
Greetings
Jose