VirtueMart Forum

Hi Guys,

I've just become aware of a SQL injection Vulnerability in all 1.0 versions of VirtueMart.

The summary of the Vulnerability can be found @ http://docs.joomla.org/Vulnerable_Extensions_List

It would seam that the JED became aware of this on the 7th December 09 and therefore was wondering if this has been addressed?

If not when do you think a fix will be available?

Thanks,

:)

Above the list is said, that only the ones in a red box aren't adressed yet, the virtuemart vulnerability isn't in a red box, so I assume it's fixed.

Hi Martin,

Thank you for your post!

If you visit the extensions on the JED you will find that the extension has been unpublished by Joomla! for the following reason: http://extensions.joomla.org/extensions/129/details

QuoteThis extension has been unpublished for the following reason: Vulnerable Extensions List - http://docs.joomla.org/http://www.exploit-db.com/exploits/10407_Extensions_List

This is a bit disconcerting, maybe my fear is unjustified however; it would be very helpful to hear from one of the VR developers on this matter if only to set our fears at rest?

To learn more able the SQL Injection vulnerabilities: http://www.exploit-db.com/exploits/10407 & http://www.exploit-db.com/exploits/11271 & http://www.exploit-db.com/exploits/10407

Thanks,

:)

Hi --- this has also been mentioned on the SANS newsletter today, and on:

http://www.securityfocus.com/bid/37963

It doesn't look like there's a fix available at the moment at all... at least not one that is mentioned on Security Focus. Would love to know more details about how this can be patched!

Tom

First:

The vulnerability does not hit the normal virtuemart because it is only accessible via backend. So long there is no multivendor, so long this is not a vulnerability.
This is a minor problem and next thing this is fixed by Thomas for vm1.1.4b, just download the nightly build from 28.1.10.

Cyas da Milbo

Hi Milbo,

Thank you for your reply and for addressing the first reported vulnerability however, there seam to be another vulnerability which can be exploited via the front-end!

The vulnerability seam to be present on the product details pages, which permits the hackers to compromise the system via SQL injection vulnerability.

Please see: http://www.exploit-db.com/exploits/10407 for explanation of the same.

Has this been addressed on the nightly build?

Thanks,

:)

We feel we have the backend vulnerability for 1.1.4 corrected.  We are investigating the others reported in 1.0 and hope to have patches shortly.

Please look here

This line fixes the frontend security leak with the product_id
change line 23 in /html/order.order_status_form.php to
$order_status_id =vmrequest::getInt('order_status_id', 0);

Written by zorkhh: The problem was, that the order_status_id parameter was not checked correctly and accepted strings where only integers should be allowed. This way the injection could happen. Now it makes sure that the variable can contain only integers.

This should help, the changes are already in the svn, we will release a patch soon.

Doing great work guys, keep it up!

Hi,

you should check vm-expert.com more often  ::)

We have published this solution here after we have updated the SVN: http://www.vm-expert.com/virtuemart-expert-blog/82-security-fix-for-vm-114 (http://www.vm-expert.com/virtuemart-expert-blog/82-security-fix-for-vm-114)

Cheers,

Thomas

Hi Everyone,

I could not recreate this issue on a site with VirtueMart 1.0.15., server have magic quotes enabled.

Is this because magic quotes? What do you think?

Thanks

Be careful with the versions! The last post where VM 1.1.4 related...

Thomas

I added files to SVN for both 1.0.15 and 1.1.4 which should eliminate the SQL injections that have been reported.  If anyone comes across anymore let us know.

I will post patched files on the site for download soon.

Here are the patch files for 1.0.15 and 1.1.4.  Just extract them into your Joomla root folder.  The first part of the filename indicates the version. ;)

[attachment cleanup by admin]

Ah great - thanks so much for the quick action and fix. Am finding virtuemart to be really excellent!
Tom

Thanks again for the quick fixes.
I have published a news article here: http://virtuemart.net/news/list-all-news/366
The security bulletin can be found here: http://virtuemart.net/security-bulletins/365-vm-security-bulletin-2010-01-30

ciao, Sören

Thanks a lot! If I download a fresh copy of VirtueMart, I don't need the patch I suppose?

Thanks in advance,

V.

The shop.product_details exploit mentioned above on exploit-db.com does not affect my site running VM 1.0.14.

Regarding the shop.product_details  exploit, I posted this earlier to the News section of the VM website when the forum was down:

Shemzone already pointed out the additional code in shop.product_details.php added to try to fix this bug:


 
  // Check for non-numeric product id
    if (!empty($product_id)) {
    if (!is_numeric($product_id)) {
      $product_id = '';
     }
    }




BUT $product_id is already forced to be an integer just a couple lines earlier:



    $product_id = intval( mosgetparam($_REQUEST, "product_id", null) );



It doesn't look like the new code prevents any SQL injection via $product_id because no SQL injection was possible before.

Can anyone here confirm that the exploit is for real?

How does the newly added code fix the problem if it is for real?

Quote from: Mark Smeed on January 29, 2010, 10:35:52 AM
Hi Milbo,

Thank you for your reply and for addressing the first reported vulnerability however, there seam to be another vulnerability which can be exploited via the front-end!

The vulnerability seam to be present on the product details pages, which permits the hackers to compromise the system via SQL injection vulnerability.

Please see: http://www.exploit-db.com/exploits/10407 for explanation of the same.

Has this been addressed on the nightly build?

Thanks,

:)

Are any of the admins going to address this? Or is it in the patch already?

FWIW, I just had a look at my html/shop.product_details (VM 1.1.14) and amended the following as per the backend fix:
Line 35
//$product_id = intval( vmGet($_REQUEST, "product_id", null) );
$product_id = vmrequest::getInt('product_id', 0);
//$category_id = vmGet($_REQUEST, "category_id", null);
$product_id = vmrequest::getInt('category_id', 0);
//$manufacturer_id = vmGet($_REQUEST, "manufacturer_id", null);
$manufacturer_id = vmrequest::getInt('manufacturer_id', 0);

(original code //commented out)

I know it's supposed to be a 1.0 glitch but it looks like the category and manufacturer id's could be vulnerable in 1.1?

very good..

I just downloaded virtuemart april 1, have the patches for 1.1.4 already been intergrated or should I still apply them?

We're running version 1.1.3. Does this apply to us as well? And if it does, is there a place to see the changes/updates so we could apply them manually. Thank you!

Quote from: korij on April 11, 2010, 07:10:13 AM
I just downloaded virtuemart april 1, have the patches for 1.1.4 already been intergrated or should I still apply them?

Same concern here

I extracted the vm114 file and your instructions say to place it in my Joomla root folder, but I already have a folder called administrator. Do you want me to overwrite the whole administrator folder or just upload the two individual files that are inside the html folder ? thanks for the clarification.