Security Fix for VM 1.1.4
Written by Thomas Kahl   
Thursday, 28 January 2010 03:20

Today we saw a message on Twitter that Virtuemart has a SQL-Injection problem. This refers to the alert http://www.securityfocus.com/bid/37963/info.

As you can see from the exploit description, this problem only occurs when somebody is logged into the Joomla administration. I would say that this makes it a minor problem - but nervertheless it should be fixed.

We have just uploaded a fix to the virtuemart development server (SVN). If you want to fix the problem on your own before the patch is released, please edit /administrator/components/com_virtuemart/html/order.order_status_form.php and replace line 23 with the following line:

$order_status_id =vmrequest::getInt('order_status_id', 0);

Now the submitted parameter is converted to an integer and no code can be injected to the query.

Trackback(0)
Comments (1)Add Comment
..., There is also a security fix in shop.product_detail
February 09, 2010     

Write comment
smaller | bigger

security code
Write the displayed characters


busy
 

Your Cart

Show Cart
Your Cart is currently empty.

Newsletter

Enter your email address:

Delivered by FeedBurner

Open Support Tickets


Latest News

Popular

Work For Us

We are constantly searching for experienced virtuemart developers. Join our team! We have lots of work to do - from small addons to large enterprise projects. Contact us! 

Our Network

VM-Expert.com is part of the B01 Consulting Network. Since 2003 we build shops and websites with Joomla and Virtuemart. We are specialised in developing custom Joomla and Virtuemart Extensions.