SQL injection Vulnerability in all 1.0 versions of VirtueMart!!!

Started by Mark Smeed, January 28, 2010, 12:43:40 PM

Previous topic - Next topic

Mark Smeed

Hi Guys,

I've just become aware of a SQL injection Vulnerability in all 1.0 versions of VirtueMart.

The summary of the Vulnerability can be found @ http://docs.joomla.org/Vulnerable_Extensions_List

It would seam that the JED became aware of this on the 7th December 09 and therefore was wondering if this has been addressed?

If not when do you think a fix will be available?

Thanks,

:)

martin77

Above the list is said, that only the ones in a red box aren't adressed yet, the virtuemart vulnerability isn't in a red box, so I assume it's fixed.

Mark Smeed

Hi Martin,

Thank you for your post!

If you visit the extensions on the JED you will find that the extension has been unpublished by Joomla! for the following reason: http://extensions.joomla.org/extensions/129/details

QuoteThis extension has been unpublished for the following reason: Vulnerable Extensions List - http://docs.joomla.org/http://www.exploit-db.com/exploits/10407_Extensions_List

This is a bit disconcerting, maybe my fear is unjustified however; it would be very helpful to hear from one of the VR developers on this matter if only to set our fears at rest?

To learn more able the SQL Injection vulnerabilities: http://www.exploit-db.com/exploits/10407 & http://www.exploit-db.com/exploits/11271 & http://www.exploit-db.com/exploits/10407

Thanks,

:)

tomkerswill

Hi --- this has also been mentioned on the SANS newsletter today, and on:

http://www.securityfocus.com/bid/37963

It doesn't look like there's a fix available at the moment at all... at least not one that is mentioned on Security Focus. Would love to know more details about how this can be patched!

Tom

Milbo

First:

The vulnerability does not hit the normal virtuemart because it is only accessible via backend. So long there is no multivendor, so long this is not a vulnerability.
This is a minor problem and next thing this is fixed by Thomas for vm1.1.4b, just download the nightly build from 28.1.10.

Cyas da Milbo
Should I fix your bug, please support the VirtueMart project and become a member
______________________________________
Extensions approved by the core team: http://extensions.virtuemart.net/

Mark Smeed

Hi Milbo,

Thank you for your reply and for addressing the first reported vulnerability however, there seam to be another vulnerability which can be exploited via the front-end!

The vulnerability seam to be present on the product details pages, which permits the hackers to compromise the system via SQL injection vulnerability.

Please see: http://www.exploit-db.com/exploits/10407 for explanation of the same.

Has this been addressed on the nightly build?

Thanks,

:)

bass28

We feel we have the backend vulnerability for 1.1.4 corrected.  We are investigating the others reported in 1.0 and hope to have patches shortly.

Milbo

Please look here

This line fixes the frontend security leak with the product_id
change line 23 in /html/order.order_status_form.php to
$order_status_id =vmrequest::getInt('order_status_id', 0);

Written by zorkhh: The problem was, that the order_status_id parameter was not checked correctly and accepted strings where only integers should be allowed. This way the injection could happen. Now it makes sure that the variable can contain only integers.

This should help, the changes are already in the svn, we will release a patch soon.
Should I fix your bug, please support the VirtueMart project and become a member
______________________________________
Extensions approved by the core team: http://extensions.virtuemart.net/

David-Andrew

iDEAL for Virtuemart 3
http://www.chillcreations.com/joomla-extensions/ccideal-platform-ideal-for-joomla

Also supports Rabo OmniKassa and other payment providers, and older Virtuemart versions!

zorkhh

Virtuemart Professional Support at http://www.vm-expert.com

Visit the large Virtuemart Group on Joomla.org: http://people.joomla.org/groups/viewgroup/30-Virtuemart.html

bsavic

Hi Everyone,

I could not recreate this issue on a site with VirtueMart 1.0.15., server have magic quotes enabled.

Is this because magic quotes? What do you think?

Thanks


zorkhh

Be careful with the versions! The last post where VM 1.1.4 related...

Thomas
Virtuemart Professional Support at http://www.vm-expert.com

Visit the large Virtuemart Group on Joomla.org: http://people.joomla.org/groups/viewgroup/30-Virtuemart.html

bass28

I added files to SVN for both 1.0.15 and 1.1.4 which should eliminate the SQL injections that have been reported.  If anyone comes across anymore let us know.

I will post patched files on the site for download soon.

bass28

Here are the patch files for 1.0.15 and 1.1.4.  Just extract them into your Joomla root folder.  The first part of the filename indicates the version. ;)

[attachment cleanup by admin]

tomkerswill

Ah great - thanks so much for the quick action and fix. Am finding virtuemart to be really excellent!
Tom