I've read in earlier posts here that Virtuemart had numerous vulnerability issues. I have a great client that wants to add online sales to her small business Joomla website and I'd love to help her. Just not a the risk of a compromised server. I've had my server compromised twice in the past four years and never again, if I can help it. Is Virtuemart still risky ? Is there an alternative for Joomla for someone with a modest budget ? Thanks.
#27414 Virtuemart
Posted in ‘Admin Tools for Joomla! 4 & 5’
This is a public ticket
Everybody will be able to see its contents. Do not include usernames, passwords or any other sensitive information.
Environment Information
Joomla! version
n/a
PHP version
n/a
Admin Tools version
n/a
Latest post by on Sunday, 23 April 2017 17:17 CDT
Friday, 24 March 2017 04:15 CDT
nicholas
Akeeba Staff
Manager
VirtueMart doesn't have a good security track record. This, by itself, is not a problem. The actual problem is that its developer doesn't seem to realize that the reason this keeps happening is his oversight. Instead of admitting responsibility he blames Joomla!.
For example, a few years ago he allowed people to register as Super Users through VirtueMart. This only happened because he was passing the user input blindly to Joomla!'s internal API, without filtering. Do note that this API is supposed to be fed filtered data by definition (it's a Model, not a Controller). Of course someone could alter the request to include a parameter which instructs the internal API to assign any user group to the user. It is very clear to even the most beginner developer that the problem here isn't the internal Joomla! API but the data that was being stupidly fed to it. Everyone understood it... except VirtueMart's lead developer.
There are many incidents like that. In the beginning me and other experienced developers tried to help that guy by pointing out why this keeps happening and how he should defend against silly bugs like that. Unfortunately it was like talking to a brick wall. At some point he devolved the conversation into public, personal attacks against us. At this point we all decided that we can't fix stupid and did the only responsible thing we could do: tell our users to avoid VirtueMart at all cost. It's written by an idiot who doesn't understand the basics of security and won't even bother to at least feign interest in learning how web application security works. When you confront him about it he'll tell you about the time he was an intern in Fraunhoffer Institute, like that means anything. *shrug*
If you are looking for a GOOD e-commerce system for Joomla! I recommend HikaShop. It's far more stable and secure. I have also spoken to the guys developing it. Very good people, they know what they're doing and they do care about security. Does it have security issues? Yeah, at the same rate all complex software of that size does, i.e. a security issue every 1-2 years. Just install the updates and you'll be fine.
Other people I've spoken to and whose opinion I trust have also recommended J2Store. I haven't used it at all so I don't know much about it. I am told that it's much easier to set up, even though not as powerful as HikaShop.
If you want to go outside Joomla!, i.e. run the e-commerce site parallel to the Joomla! site, a great and relatively easy to set up solution is PrestaShop. I've worked with it adding support for it in Akeeba Solo. From the little I've seen it seems powerful and relatively easy to set up. It also has a really good ecosystem of extensions e.g. for integrating payment methods.
For example, a few years ago he allowed people to register as Super Users through VirtueMart. This only happened because he was passing the user input blindly to Joomla!'s internal API, without filtering. Do note that this API is supposed to be fed filtered data by definition (it's a Model, not a Controller). Of course someone could alter the request to include a parameter which instructs the internal API to assign any user group to the user. It is very clear to even the most beginner developer that the problem here isn't the internal Joomla! API but the data that was being stupidly fed to it. Everyone understood it... except VirtueMart's lead developer.
There are many incidents like that. In the beginning me and other experienced developers tried to help that guy by pointing out why this keeps happening and how he should defend against silly bugs like that. Unfortunately it was like talking to a brick wall. At some point he devolved the conversation into public, personal attacks against us. At this point we all decided that we can't fix stupid and did the only responsible thing we could do: tell our users to avoid VirtueMart at all cost. It's written by an idiot who doesn't understand the basics of security and won't even bother to at least feign interest in learning how web application security works. When you confront him about it he'll tell you about the time he was an intern in Fraunhoffer Institute, like that means anything. *shrug*
If you are looking for a GOOD e-commerce system for Joomla! I recommend HikaShop. It's far more stable and secure. I have also spoken to the guys developing it. Very good people, they know what they're doing and they do care about security. Does it have security issues? Yeah, at the same rate all complex software of that size does, i.e. a security issue every 1-2 years. Just install the updates and you'll be fine.
Other people I've spoken to and whose opinion I trust have also recommended J2Store. I haven't used it at all so I don't know much about it. I am told that it's much easier to set up, even though not as powerful as HikaShop.
If you want to go outside Joomla!, i.e. run the e-commerce site parallel to the Joomla! site, a great and relatively easy to set up solution is PrestaShop. I've worked with it adding support for it in Akeeba Solo. From the little I've seen it seems powerful and relatively easy to set up. It also has a really good ecosystem of extensions e.g. for integrating payment methods.
Nicholas K. Dionysopoulos
Lead Developer and Director
🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!
Sunday, 23 April 2017 17:17 CDT
System Task
system
This ticket has been automatically closed. All tickets which have been inactive for a long time are automatically closed. If you believe that this ticket was closed in error, please contact us.