|
VM Security Bulletin 2008-01-30-2 |
 |
 |
|
Written by Soeren Eberhardt-Biermann
|
|
Wednesday, 30 January 2008 02:00 |
Component Type: VirtueMart Core. The affected files are part of the standard VirtueMart Distribution.
Affected Versions: VirtueMart Version 1.0.13a and all versions below.
Vulnerability Type: Cross-Site Request Forgery.
Severity: HIGH.
Problem Description: Requests to VirtueMart are checked for authentication cookies to prevent malicious users making administrational changes in the store. VirtueMart does not check if the Request to execute a function was "wanted" by the user - that makes it possible for attackers to trick the user into viewing prepared web pages, which call a function in the store from within the context of the user's browser. Note that this requires that the user is logged in to the store while viewing the prepared pages.
Solution: An updated version is available from the VirtueMart Download Section. Patch Packages are avaiable for each previous version containing only those files which have changed to the latest version.
General advice:
Follow the recommendations from the Joomla! Administrator's Security Checklist and the Security & Performance FAQ for Joomla!. This way you get basic security for your Store.
Keep notice of the VirtueMart Security Bulletins.
|
|
Last Updated on Sunday, 03 February 2008 20:08 |
Home
Forum
Extensions
Developer Portal