[VIM] vendor ack for "mambo-phphop Product Scroller Module R.F.I"
security curmudgeon
jericho at attrition.org
Thu Aug 24 05:50:56 EDT 2006
: Disclosure:
: http://archives.neohapsis.com/archives/bugtraq/2006-08/0363.html
:
: Dispute:
: http://archives.neohapsis.com/archives/bugtraq/2006-08/0436.html
:
: Vendor:
: http://www.mambo-phpshop.net/
: which became
: http://virtuemart.net/
:
: Confirm:
: http://virtuemart.net/index.php?option=com_content&task=view&id=209&Itemid=57
Maybe I jumped the gun here =)
First, looking at the files listed in the disclosure vs the files
available in the full VirtueMart package:
http://forge.joomla.org/sf/frs/do/viewRelease/projects.virtuemart/frs.virtuemart.virtuemart_1_0_6
We see the files from the advisory in the various sub packages. So looks
like we have the product in question. Now..
: mambo-phpShop Security Alert
: Monday, 21 August 2006
:
: This is a security alert for all mambo-phpShop users. If you are still using
: mambo-phpShop at an older version than "mambo-phpShop 1.2-stable", your
: webshop is at a security risk.
: Please note that VirtueMart is not affected by this security issue.
and farther down that i didnt quote originally:
There's an easy fix for this problem:
Find the file
/administrator/components/com_phpshop/toolbar.phpshop.html.php and add
defined( '_VALID_MOS' ) or die( 'Direct Access to this location is not
allowed.' );
and throw in this part:
This security issue is was first discovered by mambo-phpShop users on
August 19 / 20 and is still not made public, so you have still time to
fix your installation.
so it appears this is a seperate issue completely
More information about the VIM
mailing list