I recently got notified of an XSS vulnerability in VM 3.8.4 10335 (Running on Joomla 3.9.21, PHP 7.3.16). The following URL generates a popup message:
http://localhost/component/virtuemart/?keyword=&dir=%2522%253e%253cscript%253ealert%2528%25%32%37%25%33%34%25%34%65%25%35%66%25%34%33%25%35%35%25%35%32%25%35%61%25%34%35%25%32%37%2529%253c%252fscript%253e
How do I fix this?
This mean that if you insert the dir=.. alert script, you display a popup.
This not mean that the XSS is saved in the database, but that you can inject in the DOM a script and run it..
The only real problem is if you click a link with a XSS, si it can be used by a hacker directly(he need to redirect you using a link), but not when a customer do a search.
A hacker have many other way to run a script in your browser, so the risk is very very low.
Studio 42 this is a bug.
Hum it seems that vRequest::getCmd do not filter correctly.
I tested it and the result is
%22%3e%3cscript%3ealert%28%27%34%4e%5f%43%55%52%5a%45%27%29%3c%2fscript%3e
getCmd should only return this part of char : aZ-_
Joomla getCmd send back :
223e3cscript3ealert2827344e5f4355525a4527293c2fscript3e
So this is a general issue in vRequest::getCmd input filter, so this vulnerability is certainly in all link that use getCmd !!!!
So using task=.... in the link can have same vulnerability
Is there a patch for this?
Sorry for the late answer - the current VM developers plus a few other VM users including me tried to reproduce your result, but none of us was able to reproduce the issue you described - even when using the same versions you stated above.
jjk, i checked myself and i have the same issue.
Try this link http://demo.virtuemart.net/component/virtuemart?keyword=&dir=%2522%253e%253cscript%253ealert%2528%25%32%37%25%33%34%25%34%65%25%35%66%25%34%33%25%35%35%25%35%32%25%35%61%25%34%35%25%32%37%2529%253c%252fscript%253e
Max found the issue.
There will be a new version shortly. The fix will be in.
Quote from: Studio 42 on November 02, 2020, 11:56:42 AM
jjk, i checked myself and i have the same issue.
Try this link http://demo.virtuemart.net/component/virtuemart?keyword=&dir=%2522%253e%253cscript%253ealert%2528%25%32%37%25%33%34%25%34%65%25%35%66%25%34%33%25%35%35%25%35%32%25%35%61%25%34%35%25%32%37%2529%253c%252fscript%253e
Not anylonger.
VM 3.8.6 was released last week with the fix included.
Please update.