Major Virtuemart Security Vulnerability Announced

Comments

VIrtuemart recently announced a major security vulnerability. Users of the component need to upgrade and patch immediately. Please read this except from PCWorld magazine dated Sep 11, 2014.

http://www.pcworld.com/article/2606312/vulnerability-in-popular-joomla-ecommerce-extension-puts-online-shops-at-risk.html

A critical vulnerability in a popular e-commerce extension for the Joomla content management system allows malicious users to gain super-admin privileges to sites that run the software.

The VirtueMart extension, which allows users to set up online shops on their websites, has been downloaded more than 3.5 million times, said Marc-Alexandre Montpas, a researcher at Web security firm Sucuri, in a blog post Wednesday. “With super-admin access, the attacker has full control of the site and database.”

The issue was discovered last week and was patched in VirtueMart 2.6.10, released on Sept. 4. The VirtueMart page in the Joomla extensions catalogue advises users that “everyone using a version lower than 2.6.10 should update as soon as possible for security reasons.”

Sucuri originally released technical details about the vulnerability, but then removed them at the developer’s request because the issue might also affect other extensions.

“VirtueMart uses Joomla’s JUser class ‘bind’ and ‘save’ methods to handle user accounts information,” Montpas said. “That’s not a problem in and of itself, but this class is very tricky and easy to make mistakes with. We actually think the problem is on the Joomla class itself, so we will not disclose any more details.”

The VirtueMart developers feel the same. They disapproved of Sucuri’s decision to make the details public, calling it “amateurish” on Twitter and said that VirtueMart won’t be the only component with the problem.

The VirtueMart website contains a long list of online stores built with the extension and it will probably take some time until their owners update them all, putting the sensitive data stored in their databases at risk in the meantime.

“Great post, but can you perhaps nudge us a bit toward the location of the security risk,” one user named Martijn Faber, wrote in a comment to Sucuri’s blog post. “We currently have some projects in [VirtueMart] 2.6.8 which cannot be updated easily. We have to fix this by hand (line by line).”

“I have the same problem as Martijn, can you please give us some list of updated VM core files?” another user said.

Let us know if you need help. Use our quote form on our front page (http://www.911websiterepair.com) to contact us of call 860-294-2444.

Unfortunately, as the article states, for highly customized websites this could be major work.

Why Choose 911 Website Repair?

Highly Experienced

We’ve fixed more than 25,000 websites since 1998 and are able to resolve all website errors.

Extreme Customizations

We excel at completing complex integrations and adding non-standard functionality to websites.

Great Communication

Get responses in minutes rather than days during normal business hours. You’re never ignored.

Frequently Asked Questions

What website errors and issues do you fix?

We can fix and address almost all kinds of website issues like malware/malicious code/virus insertions, internal server errors, theme & plugin conflicts, SQL errors, database corruption, timeouts, DNS issues, browser incompatibilities, blank pages, and much more. If your website is not working properly, then we can diagnose the root cause of the issue and repair it. Chances are — we've seen the issue before!

How long will it take to fix my website?

Typically, we can fix a hacked website within 24-48 hours. However, there are cases where the issue is complex and requires more time to fix. Conversely, there are cases where sites can be restored within hours. After you get in touch with us, our development team will assess your website's problem and let you know the amount of time and the actions it will take to fix your site.

Can you restore my content and data?

In most cases, yes. And to be completely transparent, there are times where where website restoration is not possible (catastrophic server failure, lack of backups, etc.). If your site does need to be completely rebuilt, we will credit your initial payment to us toward the rebuild quote.

How can I ensure that my website never gets hacked again?

Unfortunately, no site on the Internet is un-hackable. However, we will let you know exactly what to do to secure your restored website and make it extremely difficult to hack — and faster to load!

What specific information do you need to get started?

At the bare minimum, we will need your website hosting credentials. This will allow us to access your server files and website's database. We may also need access to your domain name servers (DNS), which are usually with whatever domain name registrar, so have those credentials ready too.

How much does it cost to fix my website?

It varies. Pricing depends upon the depth and complexity of your website's issue. Our pricing is competitive, and in most cases lower than other website development companies and freelance web developers.

What types of website customizations can you do?

If you can imagine it, we can code it. Really...hit us with your best shot!

Search our Site

Plone CMS Website Repair

Fill out the form below to get a quote for our services.

Expert Plone CMS Website Repair

Extreme Plone CMS Website Customizations

Plone CMS Website Development

Plone CMS Website Repair & Development Services