Security Researchers at web security firm Sucuri have found a critical vulnerability in VirtueMart, a popular Joomla e-commerce extension which was downloaded 3.5 Million times by the popular CMS users.
The vulnerability allows malicious user to gain super admin privilege to the entire Joomla Cpanel. This also gives the potential hacker to disable the current owner, the victim, and install himself as the new owner.
The issue was discovered last week and was patched by the developers of VirtueMart by releasing a quick fix 2.6.10 on Sept. 4. The VirtueMart page in the Joomla extensions catalogue advises users that “everyone using a version lower than 2.6.10 should update as soon as possible for security reasons.”
Sucuri originally released technical details including the Proof of Concept (PoC) about the vulnerability, but later removed them at the developer’s request. The developers cited that the VirtueMart vulnerability might harm other Joomla extensions also.
“VirtueMart uses Joomla’s JUser class ‘bind’ and ‘save’ methods to handle user accounts information.That’s not a problem in and of itself, but this class is very tricky and easy to make mistakes with. We actually think the problem is on the Joomla class itself, so we will not disclose any more details.” researcher quoted.
As regards to the responsibility for the vulnerability, the blame game has began with VirtueMart developers blaming Joomla for this bug. They said that may be a bug in Joomla Class that allows hackers to gain admin privileges. On the other hand, Joomla experts disagree to the VirtueMart allegations. Meanwhile Sucuri also thinks that Joomla class itself may be responsible for this bug.
The VirtueMart website contains a long list of online stores built with the extension and it will probably take some time until their owners update them all, putting the sensitive data stored in their databases at risk in the meantime.