IMPORTANT: VM security fix NOT included in myStore

Change your online store into modern look with myStore eCommerce VirtueMart Joomla template - discussion forum.
Post a reply
GK User
Fri Jun 18, 2010 5:15 pm
Hello,
as u can see in this article:
Security Issues in VirtueMart
WRITTEN BY SOEREN EBERHARDT-BIERMANN
WEDNESDAY, 03 FEBRUARY 2010 10:32
Last week there have been reports that VirtueMart <= 1.1.4 and VirtueMart <= 1.0.15 are vulnerable to SQL injections. After a short investigation the VirtueMart Development Team confirmed that the reported vulnerabilities exist and Rick has released a patch for both series of VirtueMart (1.1 and 1.0).
The vulnerability in VirtueMart 1.1 can only be exploited by users with store admin/admin permissions. The vulnerability in VirtueMart 1.0 can be exploited by unregistered users, so you are urged to apply the fix as soon as possible to prevent data leakage or manipulation. Please note that VirtueMart 1.0 is not officially supported anymore.
Security Fix for VirtueMart <= 1.1.4.zip (7.69 KB)
Security Fix for VirtueMart <= 1.0.15.zip (7.53 KB)
To apply the fix, just extract the contents of the ZIP archive into your Joomla! root folder.

source: http://virtuemart.net/news/list-all-new ... anuary2010

but the current myStore version doesn't have this patch applied,
so if u can please include the changes:

in : administratorcomponentscom_virtuemarthtmlorder.order_status_form.php:
change line 5:
Code: Select all
* @version $Id: order.order_status_form.php 1961 2009-10-12 20:18:00Z Aravot $

into:
Code: Select all
 * @version $Id: order.order_status_form.php 2266 2010-01-28 01:41:16Z tkahl $

and line 23: change
Code: Select all
$order_status_id = vmGet( $_REQUEST, 'order_status_id' );
into
Code: Select all
$order_status_id =vmrequest::getInt('order_status_id', 0);



and in: administratorcomponentscom_virtuemarthtmlshop.product_details
change line 5
Code: Select all
* @version $Id: shop.product_details.php 1839 2009-06-29 20:25:44Z soeren_nb $

to become
Code: Select all
* @version $Id: shop.product_details.php 1988 2009-11-11 14:29:52Z soeren_nb $

line 42, insert:
Code: Select all
// Check for non-numeric product id
if (!empty($product_id)) {
   if (!is_numeric($product_id)) {
      $product_id = '';
   }
}

in line 242 (which is just previously line 235):
change :
Code: Select all
$vm_mainframe->setPageTitle( html_entity_decode( $page_title, ENT_QUOTES, vmGetCharset() ));
into:
Code: Select all
$vm_mainframe->setPageTitle( @html_entity_decode( $page_title, ENT_QUOTES, vmGetCharset() ));


i hope this helps :)

regards

Stephanie
User avatar
Expert Boarder
cron