Joomla! VirtueMart Component "virtuemart_userinfo_id" SQL Injection Vulnerability

SECUNIA ADVISORY ID:
SA48713

VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/48713/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=48713

RELEASE DATE:
2012-04-06
DESCRIPTION:
A vulnerability has been discovered in the VirtueMart component for
Joomla!, which can be exploited by malicious users to conduct SQL
injection attacks.

Input passed via the "virtuemart_userinfo_id" POST parameter to
index.php/virtue-mart-edit-address (when "option" is set to
"com_virtuemart") is not properly sanitised before being used in a
SQL query. This can be exploited to manipulate SQL queries by
injecting arbitrary SQL code.

The vulnerability has been confirmed in version 2.0.2. Other versions
may also be affected.

SOLUTION:
Edit the source code to ensure that input is properly sanitised.

PROVIDED AND/OR DISCOVERED BY:
renangbarreto

ORIGINAL ADVISORY:
http://forum.virtuemart.net/index.php?topic=99999.0

RECENT ARTICLE

RECENT POST