On the 10th of February 2015 Appcheck reported several security flaws in the popular VirtueMart eCommerce extension for Joomla (Version 3.0.2). A fix has since been made available via http://virtuemart.net/ although no official announcement was released by the vendor.
Cross Site Scripting (XSS) vulnerabilities occur when data submitted to the application is not properly handled before being embedded within the application’s response or stored for later retrieval.
Reflected XSS vulnerabilities are typically exploited by embedding malicious script code within links to the application. The attacker would then attempt to trick the user into following the maliciously crafted link via a social engineering attack such as a Phishing email.
Upon clicking the malicious link the embedded script code is inserted into the server’s response and executed within user’s web browser.
XSS vulnerabilities can by exploited to hijack authenticated user sessions, perform a virtual defacement and deploy Trojan functionality.
Several Cross Site Scripting (XSS) vulnerabilities were identified including;
The bundled uploader.swf flash file passes the flashvar variable “fireCallback” to the ExternalInterface.call method insecurely. It is possible to pass a JavaScript function via this parameter to perform a Cross Site Scripting attack.
Example: http://JOOMLAHOST/media/system/swf/uploader.swf?fireCallback=alert(document.cookie)
Affected Code
The following code was identified as being vulnerable via the Appcheck NG static analysis module:
function fireEvent(functionName:String, args:*=null) : void {
verboseLog("Main::fireEvent "" + functionName + """,args);
if(args !== null)
{
if(args is Array)
{
args = Escaper.escapeArray(args);
}
else
{
args = [Escaper.escape(args)];
}
}
ExternalInterface.call(root.loaderInfo.parameters.fireCallback,functionName,(args) || ([]));
}
The payment components for Realex and Heidelpay are susceptible to reflected Cross Site Scripting.
Passing a double URL encoded JavaScript tag within the “keyword” parameter passed to the search component allows Cross Site Scripting.
Example: http://JOOMLAHOST/index.php/search?limitstart=0&option=com_virtuemart&view=category&keyword=<XSS HERE>
Arbitrary parameters (i.e. any named parameter) allows Cross Site Scripting via a double URL encoded payload.
The vendor acknowledged these findings and fixed them promptly. However no security updated notification was provided and therefore the update may not have been applied by many VirtueMart administrators.
Appcheck recommends that you update to the latest version to resolve the security flaws and where applicable remain PCI complaint.
Sign up for a free Appcheck scan to assess your applications for security flaws via the Free Trial link.
No software to download or install.
Contact us or call us 0113 887 8380
AppCheck is a software security vendor based in the UK, offering a leading security scanning platform that automates the discovery of security flaws within organisations websites, applications, network and cloud infrastructure. AppCheck are authorized by te Common Vulnerabilities and Exposures (CVE) Program aas a CVE Numbering Authority (CNA)