[VIM] vendor ack for "mambo-phphop Product Scroller Module R.F.I"

security curmudgeon jericho at attrition.org
Thu Aug 24 05:50:56 EDT 2006

: Disclosure:
: http://archives.neohapsis.com/archives/bugtraq/2006-08/0363.html
: Dispute:
: http://archives.neohapsis.com/archives/bugtraq/2006-08/0436.html
: Vendor:
: http://www.mambo-phpshop.net/
: which became
: http://virtuemart.net/
: Confirm:
: http://virtuemart.net/index.php?option=com_content&task=view&id=209&Itemid=57

Maybe I jumped the gun here =)

First, looking at the files listed in the disclosure vs the files 
available in the full VirtueMart package:

We see the files from the advisory in the various sub packages. So looks 
like we have the product in question. Now..

:  mambo-phpShop Security Alert
: Monday, 21 August 2006
: This is a security alert for all mambo-phpShop users. If you are still using
: mambo-phpShop at an older version than "mambo-phpShop 1.2-stable", your
: webshop is at a security risk.

: Please note that VirtueMart is not affected by this security issue.

and farther down that i didnt quote originally:

  There's an easy fix for this problem:
  Find the file 
  /administrator/components/com_phpshop/toolbar.phpshop.html.php and add

  defined( '_VALID_MOS' ) or die( 'Direct Access to this location is not 
  allowed.' );

and throw in this part:

  This security issue is was first discovered by mambo-phpShop users on 
  August 19 / 20 and is still not made public, so you have still time to 
  fix your installation.

so it appears this is a seperate issue completely

More information about the VIM mailing list