Security Issues in VirtueMart

Written by Soeren Eberhardt-Biermann

Wednesday, 03 February 2010 10:32

Warning Last week there have been reports that VirtueMart <= 1.1.4 and VirtueMart <= 1.0.15 are vulnerable to SQL injections. After a short investigation the VirtueMart Development Team confirmed that the reported vulnerabilities exist and Rick has released a patch for both series of VirtueMart (1.1 and 1.0).

The vulnerability in VirtueMart 1.1 can only be exploited by users with store admin/admin permissions. The vulnerability in VirtueMart 1.0 can be exploited by unregistered users, so you are urged to apply the fix as soon as possible to prevent data leakage or manipulation. Please note that VirtueMart 1.0 is not officially supported anymore.

Security Fix for VirtueMart <= 1.1.4.zip (7.69 KB)
Security Fix for VirtueMart <= 1.0.15.zip (7.53 KB)

To apply the fix, just extract the contents of the ZIP archive into your Joomla! root folder.

Set as favorite

Bookmark

Email this

Comments (12) add comment

Subscribe to this comment's feed

DCA: ... http://www.option2c.com

Thanks for this information!
But my shop.product_details.php are very customized, can you provide code changes by text?

Regards

February 04, 2010
Votes: +3

Shemzone: The changes are:

So do I, my file is heavily customized
I guess the changes are from line 43 to 48.
// Check for non-numeric product id
if (!empty($product_id)) {
if (!is_numeric($product_id)) {
$product_id = '';
}
}

Could anyone confirm that?

February 08, 2010
Votes: +2

Jörg Truttenbach: ...

Is this security fix already included in new 1.1.4 downloads? I think many users dont't update if there's no new subversion out smilies/sad.gif

February 09, 2010
Votes: +2

Henry Hill: Thanks Much http://www.uphill-games.com

Thanks a lot for this patch update.

February 10, 2010
Votes: +1

Simon Arthur: Do the changes to shop.product_details.php do anything? http://www.bigbluesaw.com

Shemzone already pointed out the addition:

// Check for non-numeric product id
if (!empty($product_id)) {
if (!is_numeric($product_id)) {
$product_id = '';
}
}

BUT $product_id is already forced to be an integer just a couple lines earlier:

$product_id = intval( mosgetparam($_REQUEST, "product_id", null) );

It doesn't look like the new code prevents any SQL injection via $product_id because no SQL injection was possible before.

February 11, 2010
Votes: +1

Tsuchiya: File not found

Hello
The security fix to VirtueMart 1.1.4 is broken.
I received this message:
Error message [404] 404 Not Found for dev.virtuemart.net/attachments/download/37/SecurityFix_vm114_012910.zip port 80 on Thursday, 04-Mar-2010 20:38:10 CST

March 05, 2010
Votes: +0

giarso: virtuemart problem setting at web hosting http://www.javafurnisindo.com

I use virtuemart version 1.1.4 ( joomla 1.5 ), I have a problem when I click user or etc menu at virtuemart, I get a massage like this : The page you have requested could not be found. (404)
Thank you.

March 11, 2010
Votes: +0

sarmento: link for Security Fix for VirtueMart