Author Topic: XSS Vulnerability  (Read 795 times)

bkleyens

  • Beginner
  • *
  • Posts: 3
  • A beginner
XSS Vulnerability
« on: October 08, 2020, 22:25:02 pm »
I recently got notified of an XSS vulnerability in VM 3.8.4 10335 (Running on Joomla 3.9.21, PHP 7.3.16). The following URL generates a popup message:

http://localhost/component/virtuemart/?keyword=&dir=%2522%253e%253cscript%253ealert%2528%25%32%37%25%33%34%25%34%65%25%35%66%25%34%33%25%35%35%25%35%32%25%35%61%25%34%35%25%32%37%2529%253c%252fscript%253e


How do I fix this?

Studio 42

  • Contributing Developer
  • Sr. Member
  • *
  • Posts: 4387
  • Joomla & Virtuemart developper
    • Studio 42 - Virtuemart & Joomla extentions
  • VirtueMart Version: 2.6 & 3
Re: XSS Vulnerability
« Reply #1 on: October 10, 2020, 14:26:11 pm »
This mean that if you insert the dir=.. alert script, you display a popup.
This not mean that the XSS is saved in the database, but that you can inject in the DOM a script and run it..
The only real problem is if you click  a link with a XSS, si it can be used by a hacker directly(he need to redirect you using a link), but not when a customer  do a search.
A hacker have many other way to run a script in your browser, so the risk is very very low.

ermes

  • Jr. Member
  • **
  • Posts: 83
Re: XSS Vulnerability
« Reply #2 on: October 12, 2020, 12:06:38 pm »
Studio 42 this is a bug.

Studio 42

  • Contributing Developer
  • Sr. Member
  • *
  • Posts: 4387
  • Joomla & Virtuemart developper
    • Studio 42 - Virtuemart & Joomla extentions
  • VirtueMart Version: 2.6 & 3
Re: XSS Vulnerability
« Reply #3 on: October 12, 2020, 15:30:56 pm »
Hum it seems that vRequest::getCmd do not filter correctly.
I tested it and the result is
%22%3e%3cscript%3ealert%28%27%34%4e%5f%43%55%52%5a%45%27%29%3c%2fscript%3e
getCmd should only return this part of char : aZ-_

Joomla getCmd send back :
223e3cscript3ealert2827344e5f4355525a4527293c2fscript3e

So this is a general issue in vRequest::getCmd input filter, so this vulnerability is certainly in all link that use getCmd !!!!
So using task=.... in the link can have same vulnerability

bkleyens

  • Beginner
  • *
  • Posts: 3
  • A beginner
Re: XSS Vulnerability
« Reply #4 on: October 22, 2020, 17:28:59 pm »
Is there a patch for this?

jjk

  • Global Moderator
  • Sr. Member
  • *
  • Posts: 3700
  • using Matomo instead of Google Analytics
Re: XSS Vulnerability
« Reply #5 on: November 01, 2020, 14:09:17 pm »
Sorry for the late answer - the current VM developers plus a few other VM users including me tried to reproduce your result, but none of us was able to reproduce the issue you described - even when using the same versions you stated above.
Non-English Shops: Are your language files up to date?
http://virtuemart.net/community/translations

Studio 42

  • Contributing Developer
  • Sr. Member
  • *
  • Posts: 4387
  • Joomla & Virtuemart developper
    • Studio 42 - Virtuemart & Joomla extentions
  • VirtueMart Version: 2.6 & 3

StefanSTS

  • Global Moderator
  • Full Member
  • *
  • Posts: 550
  • VirtueMart Version: VM 4.2 on Joomla 4.5
Re: XSS Vulnerability
« Reply #7 on: November 02, 2020, 12:10:48 pm »
Max found the issue.

There will be a new version shortly. The fix will be in.
--
Stefan Schumacher
www.jooglies.com - VirtueMart Invoice Layouts

Please use only stable versions with even numbers for your live shop! Use Alpha versions only if you know what risk you are taking.

Milbo

  • Virtuemart Projectleader
  • Administrator
  • Super Hero
  • *
  • Posts: 10076
  • VM3.2 Cached and Optimized
    • VM3 Extensions
  • VirtueMart Version: VirtueMart 3 on joomla 3
I should fix your bug, please support the VirtueMart project and become a member
______________________________________
Extensions approved by the core team: http://extensions.virtuemart.net/

StefanSTS

  • Global Moderator
  • Full Member
  • *
  • Posts: 550
  • VirtueMart Version: VM 4.2 on Joomla 4.5
Re: XSS Vulnerability
« Reply #9 on: November 10, 2020, 13:25:27 pm »
VM 3.8.6 was released last week with the fix included.
Please update.
--
Stefan Schumacher
www.jooglies.com - VirtueMart Invoice Layouts

Please use only stable versions with even numbers for your live shop! Use Alpha versions only if you know what risk you are taking.