On the 10th of February 2015 Appcheck reported several security flaws in the popular VirtueMart eCommerce extension for Joomla (Version 3.0.2). A fix has since been made available via http://virtuemart.net/ although no official announcement was released by the vendor.

Cross Site Scripting (XSS)

Cross Site Scripting (XSS) vulnerabilities occur when data submitted to the application is not properly handled before being embedded within the application’s response or stored for later retrieval.

Reflected XSS vulnerabilities are typically exploited by embedding malicious script code within links to the application. The attacker would then attempt to trick the user into following the maliciously crafted link via a social engineering attack such as a Phishing email.

Upon clicking the malicious link the embedded script code is inserted into the server’s response and executed within user’s web browser.

XSS vulnerabilities can by exploited to hijack authenticated user sessions, perform a virtual defacement and deploy Trojan functionality.

Several Cross Site Scripting (XSS) vulnerabilities were identified including;

Adobe Flash XSS

The bundled uploader.swf flash file passes the flashvar variable “fireCallback” to the ExternalInterface.call method insecurely. It is possible to pass a JavaScript function via this parameter to perform a Cross Site Scripting attack.

Example: http://JOOMLAHOST/media/system/swf/uploader.swf?fireCallback=alert(document.cookie)

Affected Code

The following code was identified as being vulnerable via the Appcheck NG static analysis module:

function fireEvent(functionName:String, args:*=null) : void {

         verboseLog("Main::fireEvent "" + functionName + """,args);

         if(args !== null)

         {

           if(args is Array)

           {

               args = Escaper.escapeArray(args);

           }

           else

           {

              args = [Escaper.escape(args)];

           }

         }

         ExternalInterface.call(root.loaderInfo.parameters.fireCallback,functionName,(args) || ([]));

     }

Cross Site Scripting with payment processing functions

The payment components for Realex and Heidelpay are susceptible to reflected Cross Site Scripting.

Cross Site Scripting within Keyword query string parameter

Passing a double URL encoded JavaScript tag within the “keyword” parameter passed to the search component allows Cross Site Scripting.

Example: http://JOOMLAHOST/index.php/search?limitstart=0&option=com_virtuemart&view=category&keyword=<XSS HERE>

Cross Site Scripting within arbitrary query string and path parameters

Arbitrary parameters (i.e. any named parameter) allows Cross Site Scripting via a double URL encoded payload.

Solution

The vendor acknowledged these findings and fixed them promptly. However no security updated notification was provided and therefore the update may not have been applied by many VirtueMart administrators.

Appcheck recommends that you update to the latest version to resolve the security flaws and where applicable remain PCI complaint.

Sign up for a free Appcheck scan to assess your applications for security flaws via the Free Trial link.