News:

Looking for documentation? Take a look on our wiki

Main Menu

Lost all Images after 3.0.18

Started by webwzrd, November 04, 2016, 21:31:04 PM

Previous topic - Next topic

webwzrd

After upgrading to 3.0.18 the noimage.gif is appearing for all images on the front and back end. Can anyone help me problem solve this?

Brian

jenkinhill

Upgrading from what? Joomla version? URL?
Kelvyn
Lowestoft, Suffolk, UK

Retired from forum life November 2023

Please mention your VirtueMart, Joomla and PHP versions when asking a question in this forum

webwzrd

#2
I upgraded from 3.0.16 and it's Joomla 3.6.4

Edit: removed site link

Jörgen

Hello

You have a securiyty issue, I can reach the edit icon as unregistered user.  I get access to Your backens  Take the shop off line immediately is my suggestion !
I have actually taken the shop offline, before some one else does something worse. Hope You don´t mind.

regards

Jörgen @ Kreativ Fotografi
Joomla 3.9.18
Virtuemart 3.4.x
Olympiantheme Hera (customized)
This reflects current status when viewing old post.

webwzrd

Jorgen, Thank you very much. I actually restored the site from a few days ago, but still a 3.0.18 version and all the images came back, so this wasn't a VM upgrade issue. However the security issue was still there so I took it back offline too.

Thank you very much for your presumptive action. Now I have some work to do.

webwzrd

Any suggestions how it is that the store is showing the edit icon to the public?

webwzrd

Got it under control. I really appreciate your assistance, your help was invaluable.

Jörgen

Hello again

What was the issue that opened access to the site. Maybe others could be warned ?

regards

Jörgen @ Kreativ Fotografi
Joomla 3.9.18
Virtuemart 3.4.x
Olympiantheme Hera (customized)
This reflects current status when viewing old post.

Milbo

Just for historic reasons. Could it be that your public group got some admin rights? Because you woud be the 3rd shop within 3 days with this manipulation.
Should I fix your bug, please support the VirtueMart project and become a member
______________________________________
Extensions approved by the core team: http://extensions.virtuemart.net/

webwzrd

I believe this was related to the recent Joomla (pre-3.6.4) vulnerability allowing users to register with elevated privileges. This hack allowed "guests" to have admin rights. I had upgraded Joomla this past weekend but it was after it was already hacked. I even saw the extra users and deleted them, but the damage had already been done, I just didn't notice it until Jörgen pointed it out. I forget when I upgraded VM, but just assumed I hadn't checked to make sure everything was working and that the new version broke the images. Sorry, I was wrong.

Looks like the hacker did something that disrupted all the store images and worst, they deleted all previous orders. I couldn't find any other damage. I restored the site to an earlier state and re-upgraded everything.

Milbo

You have really an ugly story to tell webwzrd. From my point of view, it is not your fault. A lot people got hacked due this hack and have problems.
Should I fix your bug, please support the VirtueMart project and become a member
______________________________________
Extensions approved by the core team: http://extensions.virtuemart.net/

GJC Web Design

Still not 100% sure about a recent site that I upgraded to J3.6.4

it was J3.2.0 and i can't find any recent user registrations etc.. maybe they cleaned after themselves but long story short after the the upgrade, Public had full SuperAdmin rights

I still have a copy of it original site locally (3.2.0)  and Public do NOT have these rights.. it was the previous settings + the 3.6.4 upgrade that passed them
And it wasn't a hack -- it was just the Global settings Permissions that inherited to Public the SuperAdmin rights after the upgrade
with the correct Global settings Permissions all OK ..

so don't know if this was a hacker pre-setting the rights to do this (sounds unlikely) or wrongly set 3.2.0 perms that allowed Public once upgraded .. or....  settings that were kosher in 3.2.0 that aren't in 3.6.4
..also seems unlikely
GJC Web Design
VirtueMart and Joomla Developers - php developers https://www.gjcwebdesign.com
VM4 AusPost Shipping Plugin - e-go Shipping Plugin - VM4 Postcode Shipping Plugin - Radius Shipping Plugin - VM4 NZ Post Shipping Plugin - AusPost Estimator
Samport Payment Plugin - EcomMerchant Payment Plugin - ccBill payment Plugin
VM2 Product Lock Extension - VM2 Preconfig Adresses Extension - TaxCloud USA Taxes Plugin - Virtuemart  Product Review Component
https://extensions.joomla.org/profile/profile/details/67210
Contact for any VirtueMart or Joomla development & customisation

Milbo

yepp, and i had after the update to j3.6.4 public permission for "Configure ACL & Options", which is "core.admin". There was no account added. any other right was as before and it was also not "inherited" like in the case of GJC
Should I fix your bug, please support the VirtueMart project and become a member
______________________________________
Extensions approved by the core team: http://extensions.virtuemart.net/