[VIM] vendor ack for "mambo-phphop Product Scroller Module R.F.I"

security curmudgeon jericho at attrition.org
Thu Aug 24 06:11:26 EDT 2006


Man i'm on a roll. 

: First, looking at the files listed in the disclosure vs the files 
: available in the full VirtueMart package:
: http://forge.joomla.org/sf/frs/do/viewRelease/projects.virtuemart/frs.virtuemart.virtuemart_1_0_6
: 
: We see the files from the advisory in the various sub packages. So looks 
: like we have the product in question. Now..

Most are there, but not all. So maybe this affects an older version of 
mambo-phpShop and the derived VirtueMart, but not for each file. First the 
list of files declared vulnerable, second the subpackage in VirtueMart 
that contains it.

    mod_phpshop.php			[4]
    mod_phpshop_allinone.php		[3]
    mod_phpshop_cart.php		[5]
    mod_phpshop_featureprod.php		[2]
    mod_phpshop_latestprod.php		[1]
    mod_product_categories.php		mod_product_categories_1.0.6.tar.gz
    mod_productscroller.php		mod_productscroller_1.0.6.tar.gz
    mosproductsnap.php			modproductsnap_1.0.6.tar.gz


[1] mod_virtuemart_latestprod.php in mod_virtuemart_latestprod_1.0.6.tar.gz
[2] mod_virtuemart_featureprod.php in mod_virtuemart_featureprod_1.0.6.tar.gz
[3] mod_virtuemart_allinone.php in mod_virtuemart_allinone_1.0.6.tar.gz
[4] mod_virtuemart.php in mod_virtuemart_1.0.6.tar.gz
[5] mod_virtuemart_cart.php in mod_virtuemart_cart_1.0.6.tar.gz


So the first three files I looked at were in there verbatim and I made the 
assumption it was the same package. In reality, 3 of 8 were in there, but 
everything suggests the derived product may be vulnerable and even have 
more components that could be affected.


More information about the VIM mailing list