Comments for Security Issues in VirtueMart at http://virtuemart.net , comment 1 to 12 out of 12 comments http://virtuemart.net Wed, 08 Feb 2012 06:29:15 +0100 FeedCreator 1.7.3 http://virtuemart.net/news/list-all-news/366-security-issues-january2010#comment-4679 Is there any newest version ? - wholesale cheap wedding dresses Sat, 12 Nov 2011 22:36:29 +0100 http://virtuemart.net/news/list-all-news/366-security-issues-january2010#comment-4678 I use virtuemart version 1.1.4 ( joomla 1.5 ), buy I have a problem - cheap wedding dresses Sat, 12 Nov 2011 22:35:30 +0100 http://virtuemart.net/news/list-all-news/366-security-issues-january2010#comment-3791 danke für die infor mation. und viel erfolg. - Leoliner Fri, 11 Feb 2011 03:20:03 +0100 http://virtuemart.net/news/list-all-news/366-security-issues-january2010#comment-3517 hi, link for virtuemart 1.0.15 is broken. can you fix it please? thank you jsarmento - sarmento Sun, 02 Jan 2011 08:15:05 +0100 http://virtuemart.net/news/list-all-news/366-security-issues-january2010#comment-3516 hi, link for Security Fix for VirtueMart - sarmento Sun, 02 Jan 2011 08:13:09 +0100 http://virtuemart.net/news/list-all-news/366-security-issues-january2010#comment-2549 I use virtuemart version 1.1.4 ( joomla 1.5 ), I have a problem when I click user or etc menu at virtuemart, I get a massage like this : [b]The page you have requested could not be found. (404)[/b] [/b] Thank you. - giarso Thu, 11 Mar 2010 17:16:39 +0100 http://virtuemart.net/news/list-all-news/366-security-issues-january2010#comment-2521 Hello The security fix to VirtueMart 1.1.4 is broken. I received this message: Error message [404] 404 Not Found for dev.virtuemart.net/attachments/download/37/SecurityFix_vm114_012910.zip port 80 on Thursday, 04-Mar-2010 20:38:10 CST - Tsuchiya Fri, 05 Mar 2010 04:45:30 +0100 http://virtuemart.net/news/list-all-news/366-security-issues-january2010#comment-2476 Shemzone already pointed out the addition: [quote] // Check for non-numeric product id if (!empty($product_id)) { if (!is_numeric($product_id)) { $product_id = ''; } } [/quote] BUT $product_id is already forced to be an integer just a couple lines earlier: [quote]$product_id = intval( mosgetparam($_REQUEST, "product_id", null) );[/quote] It doesn't look like the new code prevents any SQL injection via $product_id because no SQL injection was possible before. - Simon Arthur Thu, 11 Feb 2010 06:00:13 +0100 http://virtuemart.net/news/list-all-news/366-security-issues-january2010#comment-2473 Thanks a lot for this patch update. - Henry Hill Wed, 10 Feb 2010 07:06:53 +0100 http://virtuemart.net/news/list-all-news/366-security-issues-january2010#comment-2472 Is this security fix already included in new 1.1.4 downloads? I think many users dont't update if there's no new subversion out :( - Jörg Truttenbach Tue, 09 Feb 2010 10:07:03 +0100 http://virtuemart.net/news/list-all-news/366-security-issues-january2010#comment-2469 So do I, my file is heavily customized I guess the changes are from line 43 to 48. // Check for non-numeric product id if (!empty($product_id)) { if (!is_numeric($product_id)) { $product_id = ''; } } Could anyone confirm that? - Shemzone Mon, 08 Feb 2010 17:07:32 +0100 http://virtuemart.net/news/list-all-news/366-security-issues-january2010#comment-2455 Thanks for this information! But my shop.product_details.php are very customized, can you provide code changes by text? Regards - DCA Thu, 04 Feb 2010 03:40:20 +0100