| Fix: Virtuemart Blind SQL Injection |
| Written by Thomas Kahl |
| Tuesday, 01 February 2011 07:35 |
 An hour ago packetstormsecurity has published a Virtuemart security problem over twitter. You can find the full description here: http://packetstormsecurity.org/files/view/98032/joomlavirtuemart116-sql.txt From a first check it seems, that the problem is an unchecked variable used in the internal Virtuemart search. You can fix this by replacing the following line in /components/com_virtuemart/virtuemart.php (should be around line 35) $search_category= vmRequest::getVar( 'search_category' ); with this one: $search_category= vmRequest::getInt( 'search_category' ); This makes sure, that the parameter "search_category" is always an integer. If there are other things affected by this security hole, i'll update this post.
Set as favorite
Bookmark
Email This
Trackback(0)
Comments (1)
 Write comment
|
TrackBack URI for this entry
Navigation
Blog Newsletter
Our Network
VM-Expert.com is part of the B01 Consulting Network. Since 2003 we build shops and websites with Joomla and Virtuemart. We are specialised in developing custom Joomla and Virtuemart Extensions.