VM team has worked on the security leaks and patched in VirtueMart 2.6.10 & 2.9.9B immediately in a record time after discovering the issue. The VM team affirmed that the issue came on the Joomla model itself; "VirtueMart uses Joomla's JUser class "bind" and "save" methods to handle user accounts information," Montpas said. ""That's not a problem in and of itself, but this class is very tricky and easy to make mistakes with.". Therefore, lots of other extensions also have the problem. Putting the sensitive data in the Joomla user model may let the database at risk in the meantime of updating.
Fix the security issue without updating VirtueMart
There are 2 possible methods dealing with the security problem if you cannot update VirtueMart:
1. Exchange the file models/user.php
The simplest way is to exchange the user model with the new one:
- Firstly, download the latest version of VirtueMart
- Then, replace replace the file /administrator/components/com_virtuemart/models/user.php with the new one.
2. Patch the user.php file
If your user model is to heavily modified, let do the following:
- Firstly, go to /administrator/components/com_virtuemart/models/user.php
- Secondly, search for the function named function store(&$data,$checkToken = TRUE)
- Lastly, add these lines at the beginning of the function:
unset($data['isRoot']);/p>
unset($data['groups']);/p>
unset($data['_authGroups']);
From all of this information, we hope you can understand more about the important to update VirtueMart to version 2.6.10 or 2.9.9B right now. Greatly, we also update our VirtueMart Joomla templates with the security version which considerably protect your websites and your online stores. Keep in touch with us to get the latest information immediately.
Thanks for reading!