News:

Support the VirtueMart project and become a member

Main Menu

Recent VM shop audit failed!

Started by ptrouw, April 28, 2015, 21:19:56 PM

Previous topic - Next topic

ptrouw

Hope someone can point me in the right direction, we just had an audit on vm3.0.4 and failed. There were quite a few security problems, Cross-Site Scripting (XSS) Vulnerabilities and Path Disclosure.
I contacted Nicholas, Director of Akeeba, because they provide a very good Joomla firewall product. But he states although the firewall can stop these attacks, the problem should be fixed within VM.
I read something about security fixes in 3.0.8. Would the solve the attacks below?

[Examples removed for security reasons]

jenkinhill

Kelvyn
Lowestoft, Suffolk, UK

Retired from forum life November 2023

Please mention your VirtueMart, Joomla and PHP versions when asking a question in this forum

Milbo

#2
yepp, all fixed and also explained. Actually if payload is a 3rd party plugin, I dont know. Maybe it is fixed by the others, but more likely it is a problem with the plugin of payload.
Should I fix your bug, please support the VirtueMart project and become a member
______________________________________
Extensions approved by the core team: http://extensions.virtuemart.net/

Milbo

#3
And btw, next time I would recommend

First: If you did a security audit, it is important to know the name of the security company.
Second: You should not publish the examples in the public, for your own security.
Third: If you really want help for security problem, you should write privately your concerns
4th: I wonder why you ask Nicholas first and not here.
5th: Most logical way to solve the problem is to ask the security company to talk with us.
Should I fix your bug, please support the VirtueMart project and become a member
______________________________________
Extensions approved by the core team: http://extensions.virtuemart.net/

Jose M.

VM 2.5.18 is also affected?
thanks
greetings

Jose

jenkinhill

No. If it was there would already have been a security release for that. And I assume you mean 2.6.18  - there never was a 2.5.18
Kelvyn
Lowestoft, Suffolk, UK

Retired from forum life November 2023

Please mention your VirtueMart, Joomla and PHP versions when asking a question in this forum

Jose M.

Hi!
I'm sorry, yes, 2.6.18.
Greetings

Jose