News:

Looking for documentation? Take a look on our wiki

Main Menu

XSS Vulnerability

Started by bkleyens, October 08, 2020, 22:25:02 PM

Previous topic - Next topic

bkleyens

I recently got notified of an XSS vulnerability in VM 3.8.4 10335 (Running on Joomla 3.9.21, PHP 7.3.16). The following URL generates a popup message:

http://localhost/component/virtuemart/?keyword=&dir=%2522%253e%253cscript%253ealert%2528%25%32%37%25%33%34%25%34%65%25%35%66%25%34%33%25%35%35%25%35%32%25%35%61%25%34%35%25%32%37%2529%253c%252fscript%253e


How do I fix this?

Studio 42

This mean that if you insert the dir=.. alert script, you display a popup.
This not mean that the XSS is saved in the database, but that you can inject in the DOM a script and run it..
The only real problem is if you click  a link with a XSS, si it can be used by a hacker directly(he need to redirect you using a link), but not when a customer  do a search.
A hacker have many other way to run a script in your browser, so the risk is very very low.

ermes


Studio 42

Hum it seems that vRequest::getCmd do not filter correctly.
I tested it and the result is
%22%3e%3cscript%3ealert%28%27%34%4e%5f%43%55%52%5a%45%27%29%3c%2fscript%3e
getCmd should only return this part of char : aZ-_

Joomla getCmd send back :
223e3cscript3ealert2827344e5f4355525a4527293c2fscript3e

So this is a general issue in vRequest::getCmd input filter, so this vulnerability is certainly in all link that use getCmd !!!!
So using task=.... in the link can have same vulnerability

bkleyens


jjk

Sorry for the late answer - the current VM developers plus a few other VM users including me tried to reproduce your result, but none of us was able to reproduce the issue you described - even when using the same versions you stated above.
Non-English Shops: Are your language files up to date?
http://virtuemart.net/community/translations


StefanSTS

Max found the issue.

There will be a new version shortly. The fix will be in.
--
Stefan Schumacher
www.jooglies.com - VirtueMart Invoice Layouts

Please use only stable versions with even numbers for your live shop! Use Alpha versions only if you know what risk you are taking.

Milbo

Should I fix your bug, please support the VirtueMart project and become a member
______________________________________
Extensions approved by the core team: http://extensions.virtuemart.net/

StefanSTS

VM 3.8.6 was released last week with the fix included.
Please update.
--
Stefan Schumacher
www.jooglies.com - VirtueMart Invoice Layouts

Please use only stable versions with even numbers for your live shop! Use Alpha versions only if you know what risk you are taking.