A critical vulnerability in a popular e-commerce extension called VirtueMart extension, which allows users to set up online shops on their sites in the Joomla content management system could allow an attacker to gain super-admin privileges to sites that run the software.
VIRTUEMART USED BY MILLIONS OF WEBSITES
This issue is actually serious because VirtueMart is being used by millions of websites. Extension has been downloaded more than 3.5 million times, said Marc-Alexandre Montpas, a researcher at Web security firm Sucuri, in a blog post on Wednesday.
WHAT ARE THE RISKS?
A successful exploit would allow an attacker to become a Super-Administrator and do anything as they like, this could include running spam campaigns, uploading backdoors to your server or distributing malware to your site users.
VirtueMart uses Joomla’s JUser class “bind” and “save” methods to handle user accounts information. That’s not a problem in it of itself, but this class is very tricky and easy to make mistakes with. said Marc-Alexandre Montpas, a researcher at Web security firm Sucuri.
The issue was discovered last week and was patched in VirtueMart 2.6.10, released on Sept. 4. Already the VirtueMart advises users that "everyone using a version lower than 2.6.10 should update as soon as possible for security reasons".
Sucuri originally posted technical details about the vulnerability, but now they have removed the details because of the developer's request.
We are removing the technical details as requested. Other extensions might be vulnerable to the same issue, so we will do more research on that. Montpas added.
UPDATE NOW
The vulnerability was found in VirtueMart 2.6.8c. VirtueMart have released an update on september 4 to address this problem and all users should update to the latest version ( 2.6.10 ) as soon as possible.
Post a Comment