News:

Support the VirtueMart project and become a member

Main Menu

List of vulnerable files since VM 3.0.8

Started by VMx, September 15, 2017, 15:31:50 PM

Previous topic - Next topic

VMx

I am using VM 3.0.8 and I have used lots of modifications and if I update now to version 3.2.4 a lot of things are broken and not working, so it would take days to fix all. So I am now wondering if it is worth to even update, or should I leave VM at version 3.0.8? The only concern which I have is security related, so has there been any security patches since that version and if so is there any list of them so that I would only fix those files which are vulnerable?

jenkinhill

No VM security patches are issued, just full versions to be used when updating. VM3.0.8 is well over 2 years old and is certainly insecure, versions like this have been hacked. You don't mention which Joomla version, but hopefully is is J3.7.5 as anything older than 3.7.4 is seriously at risk.  http://forum.virtuemart.net/index.php?topic=118683.0
Kelvyn
Lowestoft, Suffolk, UK

Retired from forum life November 2023

Please mention your VirtueMart, Joomla and PHP versions when asking a question in this forum

VMx

Yes, Joomla was also updated to 3.7.5, which doesn't cause much problems, the biggest problems are with VM, because so many modifications was done in files. So from security view it is advised to update VM to latest version and modify all files and database again? And at next updates I will have to do the same again, or is there any info when some security patch is made that I can just update the files which have problematic code and not all? Because it's too much work, testing and risk of new bugs that it may not be worth to do that that often... At Joomla page we can get information which files/lines need to be modified to patch security hole, I thought you might have something similar published somewhere.

jenkinhill

If you correctly make any modifications through the use of template overrides (or by plugin if the core files need changing) then there is no need to worry much about re-editiing when you update versions. Because you have a big version jump to do then there are not just template changes to consider, as there are many more configuration options now which would have to be sorted.

If you made template changes without saving the changed files as overrides, then you could do that now so they will be retained during an update. Some would still need editing, though.

If you go backwards through http://dev.virtuemart.net/projects/virtuemart/repository you can see all the file changes that have been made. They are not just about security, but bugfixes and improvements too. Some were to fix problems introduced by changes in Joomla.
Kelvyn
Lowestoft, Suffolk, UK

Retired from forum life November 2023

Please mention your VirtueMart, Joomla and PHP versions when asking a question in this forum