Recent VM shop audit failed!

ptrouw · April 28, 2015, 21:19:56 PM

Hope someone can point me in the right direction, we just had an audit on vm3.0.4 and failed. There were quite a few security problems, Cross-Site Scripting (XSS) Vulnerabilities and Path Disclosure.
I contacted Nicholas, Director of Akeeba, because they provide a very good Joomla firewall product. But he states although the firewall can stop these attacks, the problem should be fixed within VM.
I read something about security fixes in 3.0.8. Would the solve the attacks below?

[Examples removed for security reasons]

jenkinhill · April 28, 2015, 23:29:16 PM

Did you not understand the news about the security release? http://virtuemart.net/news/latest-news/469-security-release-vm3-0-8

Milbo · April 28, 2015, 23:34:29 PM

yepp, all fixed and also explained. Actually if payload is a 3rd party plugin, I dont know. Maybe it is fixed by the others, but more likely it is a problem with the plugin of payload.

Milbo · April 29, 2015, 08:05:37 AM

And btw, next time I would recommend

First: If you did a security audit, it is important to know the name of the security company.
Second: You should not publish the examples in the public, for your own security.
Third: If you really want help for security problem, you should write privately your concerns
4th: I wonder why you ask Nicholas first and not here.
5th: Most logical way to solve the problem is to ask the security company to talk with us.

Jose M. · May 14, 2015, 22:50:22 PM

VM 2.5.18 is also affected?
thanks
greetings

Jose

jenkinhill · May 15, 2015, 11:34:08 AM

No. If it was there would already have been a security release for that. And I assume you mean 2.6.18 - there never was a 2.5.18

Jose M. · May 15, 2015, 14:06:45 PM

Hi!
I'm sorry, yes, 2.6.18.
Greetings

Jose

News:

Recent VM shop audit failed!

ptrouw

jenkinhill

Milbo

Milbo

Jose M.

jenkinhill

Jose M.