Author Topic: security vulnerability in vmbeez3 template  (Read 2303 times)

jdraper

  • 3rd party VirtueMart Developer
  • Beginner
  • *
  • Posts: 15
security vulnerability in vmbeez3 template
« on: February 05, 2020, 19:06:35 pm »
This is from my host A2Hosting.  I get these periodically and note that they are calling out a security issue with the vmbeez3 template.

****************************************************
We recently sent you an email regarding vulnerabilities detected on your domain(s) mayach.com hosted on a2ss29.a2hosting.com. As promised in our previous email, we have gone ahead and applied patches to fix the following vulnerabilities:

Information disclosure vulnerability in Joomla
/home/mayachco/public_html/a914/templates/vmbeez3/html/com_content/article/default.php


Information disclosure vulnerability in Joomla
/home/mayachco/public_html/a914/templates/vmbeez3/jsstrings.php


Click here to learn more about our perpetual security scans: https://www.a2hosting.com/kb/cpanel/advanced-features/patchman

Best Regards,

The A2 Hosting Support Team
**********************************************************************************************
   
   

jdraper

  • 3rd party VirtueMart Developer
  • Beginner
  • *
  • Posts: 15
Re: security vulnerability in vmbeez3 template
« Reply #1 on: February 05, 2020, 19:30:02 pm »
Compared new install of virtuemart from today with the change that A2Hosting made to the two template files (attached).

Information disclosure vulnerability in Joomla
/home/mayachco/public_html/a914/templates/vmbeez3/html/com_content/article/default.php

added line 16
added lines 172-205

Information disclosure vulnerability in Joomla
/home/mayachco/public_html/a914/templates/vmbeez3/jsstrings.php

added lines 10-12

jdraper

  • 3rd party VirtueMart Developer
  • Beginner
  • *
  • Posts: 15
Re: security vulnerability in vmbeez3 template
« Reply #2 on: February 05, 2020, 19:31:18 pm »
renamed the .php files to .txt in order to upload to this forum.

J

pinochico

  • 3rd party VirtueMart Developer
  • Full Member
  • *
  • Posts: 1157
    • MiniJoomla
  • Skype Name: support-easysoftware
  • VirtueMart Version: 3
Re: security vulnerability in vmbeez3 template
« Reply #3 on: February 05, 2020, 19:43:48 pm »
The files are not vulnerable.

www.minijoomla.org  - new portal for Joomla!, Virtuemart and other extensions
XML Easy Feeder - feeds from products, orders and database table
Virtuemart Email Manager - customs email templates

jdraper

  • 3rd party VirtueMart Developer
  • Beginner
  • *
  • Posts: 15
Re: security vulnerability in vmbeez3 template
« Reply #4 on: February 05, 2020, 19:49:20 pm »
Any idea why they were flagged and are the changes acceptable?

Milbo

  • Virtuemart Projectleader
  • Administrator
  • Super Hero
  • *
  • Posts: 10094
  • VM3.2 Cached and Optimized
    • VM3 Extensions
  • VirtueMart Version: VirtueMart 3 on joomla 3
Re: security vulnerability in vmbeez3 template
« Reply #5 on: February 06, 2020, 20:50:36 pm »
One files has this block that you cant load it without the joomla context, but there is no important stuff in it, just language. The other file got a feature some month later which created a data leak, but we the feature was not in the file, so it is not vulnerable. But I used this occasion to update the vmbeez3 with the latest files of beez3.
I should fix your bug, please support the VirtueMart project and become a member
______________________________________
Extensions approved by the core team: http://extensions.virtuemart.net/

LTCreations

  • Beginner
  • *
  • Posts: 39
  • Mr. Garrison
    • City Directory On Line
Re: security vulnerability in vmbeez3 template
« Reply #6 on: March 17, 2021, 20:39:33 pm »
I just received a notification from A2 yesterday, March 16, 2021.
The bot clearly states the following:
XSS vulnerability in Joomla
/home/account/public_html/templates/vmbeez3/javascript/template.js


Information disclosure vulnerability in Joomla
/home/account/public_html/templates/vmbeez3/jsstrings.php


Information disclosure vulnerability in Joomla
/home/account/public_html/templates/vmbeez3/html/com_content/article/default.php

Can you please review and advise?

Thanks.
Thomas

Jörgen

  • Global Moderator
  • Sr. Member
  • *
  • Posts: 3527
    • Kreativ Fotografi
  • VirtueMart Version: 3.4.x
Re: security vulnerability in vmbeez3 template
« Reply #7 on: March 18, 2021, 00:37:39 am »
Please clearly state versions ...

Jörgen @ Kreativ Fotografi
Joomla 3.9.18
Virtuemart 3.4.x
Olympiantheme Hera (customized)
This reflects current status when viewing old post.

LTCreations

  • Beginner
  • *
  • Posts: 39
  • Mr. Garrison
    • City Directory On Line
Re: security vulnerability in vmbeez3 template
« Reply #8 on: March 23, 2021, 23:58:06 pm »
VirtueMart 3.8.8 10472

Sorry.

jenkinhill

  • UK Web Developer & Consultant
  • Global Moderator
  • Super Hero
  • *
  • Posts: 28146
  • Always on vacation
    • Jenkin Hill Internet
Re: security vulnerability in vmbeez3 template
« Reply #9 on: March 24, 2021, 10:41:56 am »
With the current VMBeez  -  vmbeez3_3.4.2  ?
Kelvyn

Jenkin Hill Internet,
Lowestoft, Suffolk, UK

Unsolicited PMs/emails will be ignored.

Please mention your VirtueMart, Joomla and PHP versions when asking a question in this forum

Currently using VirtueMart 3.8.9.10473 on Joomla 3.9.24 PHP 7.4.14

balai

  • 3rd party VirtueMart Developer
  • Full Member
  • *
  • Posts: 1448
Re: security vulnerability in vmbeez3 template
« Reply #10 on: March 24, 2021, 11:49:35 am »
Guys i don't think it's a good practice to publish all those in a public forum.
It can negatively affect a large number of sites and mainly your sites, since you report that you have such vulnerabilities.

If these regard Joomla files vulnerabilities, please report them in the Joomla Security Strike team
https://developer.joomla.org/security.html

If they regard VM, you better pm Max or whoever this concern or find a private means of communication.

The moderator may has to consider hiding that post from the public.