Text only | Text with Images

VirtueMart Forum

VirtueMart 2 + 3 + 4 => Security (https) / Performance / SEO, SEF, URLs => Topic started by: bkleyens on October 08, 2020, 22:25:02 PM

Title: XSS Vulnerability
Post by: bkleyens on October 08, 2020, 22:25:02 PM
I recently got notified of an XSS vulnerability in VM 3.8.4 10335 (Running on Joomla 3.9.21, PHP 7.3.16). The following URL generates a popup message:

http://localhost/component/virtuemart/?keyword=&dir=%2522%253e%253cscript%253ealert%2528%25%32%37%25%33%34%25%34%65%25%35%66%25%34%33%25%35%35%25%35%32%25%35%61%25%34%35%25%32%37%2529%253c%252fscript%253e


How do I fix this?
Title: Re: XSS Vulnerability
Post by: Studio 42 on October 10, 2020, 14:26:11 PM
This mean that if you insert the dir=.. alert script, you display a popup.
This not mean that the XSS is saved in the database, but that you can inject in the DOM a script and run it..
The only real problem is if you click  a link with a XSS, si it can be used by a hacker directly(he need to redirect you using a link), but not when a customer  do a search.
A hacker have many other way to run a script in your browser, so the risk is very very low.
Title: Re: XSS Vulnerability
Post by: ermes on October 12, 2020, 12:06:38 PM
Studio 42 this is a bug.
Title: Re: XSS Vulnerability
Post by: Studio 42 on October 12, 2020, 15:30:56 PM
Hum it seems that vRequest::getCmd do not filter correctly.
I tested it and the result is
%22%3e%3cscript%3ealert%28%27%34%4e%5f%43%55%52%5a%45%27%29%3c%2fscript%3e
getCmd should only return this part of char : aZ-_

Joomla getCmd send back :
223e3cscript3ealert2827344e5f4355525a4527293c2fscript3e

So this is a general issue in vRequest::getCmd input filter, so this vulnerability is certainly in all link that use getCmd !!!!
So using task=.... in the link can have same vulnerability
Title: Re: XSS Vulnerability
Post by: bkleyens on October 22, 2020, 17:28:59 PM
Is there a patch for this?
Title: Re: XSS Vulnerability
Post by: jjk on November 01, 2020, 14:09:17 PM
Sorry for the late answer - the current VM developers plus a few other VM users including me tried to reproduce your result, but none of us was able to reproduce the issue you described - even when using the same versions you stated above.
Title: Re: XSS Vulnerability
Post by: Studio 42 on November 02, 2020, 11:56:42 AM
jjk, i checked myself and i have the same issue.
Try this link http://demo.virtuemart.net/component/virtuemart?keyword=&dir=%2522%253e%253cscript%253ealert%2528%25%32%37%25%33%34%25%34%65%25%35%66%25%34%33%25%35%35%25%35%32%25%35%61%25%34%35%25%32%37%2529%253c%252fscript%253e
Title: Re: XSS Vulnerability
Post by: StefanSTS on November 02, 2020, 12:10:48 PM
Max found the issue.

There will be a new version shortly. The fix will be in.
Title: Re: XSS Vulnerability
Post by: Milbo on November 05, 2020, 11:04:52 AM
Quote from: Studio 42 on November 02, 2020, 11:56:42 AM
jjk, i checked myself and i have the same issue.
Try this link http://demo.virtuemart.net/component/virtuemart?keyword=&dir=%2522%253e%253cscript%253ealert%2528%25%32%37%25%33%34%25%34%65%25%35%66%25%34%33%25%35%35%25%35%32%25%35%61%25%34%35%25%32%37%2529%253c%252fscript%253e

Not anylonger.
Title: Re: XSS Vulnerability
Post by: StefanSTS on November 10, 2020, 13:25:27 PM
VM 3.8.6 was released last week with the fix included.
Please update.
Text only | Text with Images