VirtueMart 2.0.2 possible SQL Injection

[HauntIT]

Hello,

I just found some informations about "possible sql injection" in latest VIrtueMart (2.0.2).
So yes, it is true.

Why I decide to write this here. I found this vulnerability in 5.04 this year, and now I saw that someone is public it 6.04
So that's why I want to share with You a full detailed technical information about this "possibility".

Any thing You want to ask - ask at http://hauntit.blogspot.com - that is my blog when some (not 'full') technical info's are published
about this behavior of VM. You'll see.

Anyway, beside SQL-i, in VM there are some kind of other vulnerabilities. I'm talking about information disclosure bugs.
If user submit a 'wrong url' then (because of wrong validation) he can get /path/to/your/virtuemart.
This information can be usable to other (extend) attacks.

This is my first post here, so if I found an 'add image' option, I will paste it some screens.

Cheers!
Jakub

[Studio 42]

Hi,
It's reported as possible injection, because the form get the session values.
soem said they have in html
"COrRECTVALUE" src="javascript .... but this are in the user form, and are not saved in database.
I don't understand why this is reported as a sql problem.
If you look on the JED such problem are in more then 100 component and module for joomla.
Joomla itself have mysql injection reports(and are only solved after one month many times).
Perhaps you can explan the other injection, because we have many report but not many real result.
BUt if you doubt with this we added some filter and updating to last 2.04 resolve it.

[HauntIT]

As You will see at screens on my blog, there is an answer to question "(...)why this is reported as a sql problem."

If You are adding ('requesting') values from vulnerable parameter ..._id=n
then You are 'asking database' about this 'id'. And 'via' this way, we can get table name and other errors.

Cheers;)

[Milbo]

Be aware that the error messages differ, if your are logged in or not.