Support the VirtueMart project and become a member

Main Menu

Cross-site scripting attacks VM 2.0.6

Started by renangbarreto, April 29, 2012, 05:31:59 AM

Previous topic - Next topic


Please, some dev. Take a look.
i'm using 2.0.6

Restrict access to the vulnerable application. Contact the vendor for a patch or upgrade.

Using the POST HTTP method, Site Scanner found that :
+ The following resources may be vulnerable to cross-site scripting (comprehensive test) :
+ The 'customPrice[0][9]' parameter of the /CATEGORYNAME/index.php CGI :
/CATEGORYNAME/index.php [virtuemart_category_id[]=4&option=com_virtuemar
tity[0]=1&addtocart=Adicionar ao Cesto&virtuemart_manufacturer_id=1&cust
-------- output --------
<input type="hidden" name="view" value="cart" />
<input type="hidden" name="task" value="update" />
<input type="hidden" name="cart_virtuemart_product_id" value="25::9:<<<<
<<<<<<foo"bar'204>>>>>;" />
<input type="submit" class="vmicon vm2-add_quantity_cart" name="up [...]
Other references : CWE:79, CWE:80, CWE:81, CWE:83, CWE:20, CWE:74, CWE:442, CWE:712, CWE:722, CWE:725, CWE:811, CWE:751, CWE:801, CWE:116, CWE:692, CWE:87, CWE:85, CWE:86, CWE:84

Studio 42

This is a false report !

in function updateProductCart

      $cart_virtuemart_product_id = JRequest::getString('cart_virtuemart_product_id');
      if (array_key_exists($cart_virtuemart_product_id, $this->products)) {

If you set another value this is simply ignored ! You cannot change the value no only because Mysql injection but customer cheating.


As far we can see this should be fixed in  FE/helpers/cart.php line 411 - 418:

if ( is_array($custom_fieldId) ) {
foreach ($custom_fieldId as $userfieldId => $userfield) {
$productKey .= (int)$customId . ':' . (int)$userfieldId . ';';
} else {
$productKey .= (int)$customId . ':' .(int)$custom_fieldId . ';';

and in line 518 move the setCartIntoSession into the brackets.

// Save the cart

[attachment cleanup by admin]
Should I fix your bug, please support the VirtueMart project and become a member
Extensions approved by the core team:


I wouldn't trust GoDaddy's site scanner too much, as it seems to be the only one which thinks there is a vulnerability in VM2, even though its either a very low possibility or does not any harm. As far as I know their site scanner doesn't go deep into the system. So it might open a first privacy protection door, but doesn't recognize when there are additional armoured doors behind the first door. In general I think this old reply in the Joomla forum applies to your case, too.
See here:
Non-English Shops: Are your language files up to date?