A research done by the Sucuri firm shows that a critical vulnerability in VirtueMart extension allows malicious users to gain super-admin privileges to sites that use the extension. It leads to the attacker can fully control the victim site and its database.
VM team has worked on the security leaks and patched in VirtueMart 2.6.10 & 2.9.9B immediately in a record time after discovering the issue. The VM team affirmed that the issue came on the Joomla model itself; “VirtueMart uses Joomla’s JUser class “bind” and “save” methods to handle user accounts information,” Montpas said. “”That’s not a problem in and of itself, but this class is very tricky and easy to make mistakes with.”. Therefore, lots of other extensions also have the problem. Putting the sensitive data in the Joomla user model may let the database at risk in the meantime of updating.
Fix the security issue without updating VirtueMart
There are 2 possible methods dealing with the security problem if you cannot update VirtueMart:
1. Exchange the file models/user.php
The simplest way is to exchange the user model with the new one:
– Firstly, download the latest version of VirtueMart
– Then, replace replace the file /administrator/components/com_virtuemart/models/user.php with the new one.
2. Patch the user.php file
If your user model is to heavily modified, let do the following:
– Firstly, go to /administrator/components/com_virtuemart/models/user.php
– Secondly, search for the function named function store(&$data,$checkToken = TRUE)
– Lastly, add these lines at the beginning of the function:
From all of above information, we hope you can understand more about the importance to update VirtueMart to version 2.6.10 or 2.9.9B right now. Greatly, we’re also planning to update our VirtueMart Extensions and templates with the security version which considerably protect your websites and your online stores. Keep in touch with us to get the latest information immediately.