Component Type: VirtueMart Core. The affected files are part of the standard VirtueMart Distribution.
Affected Versions: VirtueMart Version 1.1.7 and all versions below.
Vulnerability Type: SQL Injection.
Problem Description: It's possible to manipulate or gain information from the database with a specially crafted URL without having to login.
Solution: apply a patch or replace one file in your VirtueMart installation. (when available: Update to VirtueMart 1.1.8).
Steps for the Update:
- Download the Update Package VM 1.1.7a.
- Go to your store and login to your Joomla! Backend (/administrator).
- Go to the VirtueMart Admin Panel => "Admin" => "Search for Updates".
- On that page click the tab "Upload a Patch". Now click "Browse" and select the patch file you just downloaded. Proceed with "Upload & Preview".
- On the following page you will find the details for this patch and if any errors occured. If everything's fine, just check the warning checkbox and click "Apply Patch now".
- Done - your VirtueMart Installation is patched now.
Follow the recommendations from the Joomla! Administrator's Security Checklist and the Security & Performance FAQ for Joomla!. This way you get basic security for your Store.
Keep notice of the VirtueMart Security Bulletins.