Unofficial Virtuemart SECURITY FIX for Joomla! 2.5.28
Earlier this month we reported that the Joomla! Project had released Joomla! 3.6.5 SECURITY FIX.
The fix addressed a High Priority issue which affects all installations of Joomla! from 1.6 through to 3.6.4.
Unfortunately for users of older versions of the Joomla! CMS, the Joomla! Project only issued the security fix for Joomla! 3.
Reason: the Joomla! Project no longer supports older versions of Joomla!
We received news this morning that the developer of the eCommerce extension, Virtuemart, has belatedly created and released their own security patch for Joomla! 2.5.28.
The reason given by Virtuemart is that "a lot people still use Joomla 2.5. with VirtueMart".
The Virtuemart Patch
You can download the patch from the Virtuemart Blog.
We understand that the patch will address the same high priority issue in Joomla! 2.5 as was addressed in Joomla! 3 by the release of Joomla! 3.6.5.
A note of caution
We have not applied the fix to a Joomla! 2.5 installation because we no longer provide support for Joomla! 2.5 websites.
We have also not seen any independent reports of tests undertaken by web security specialists (example: SUCURI) to confirm that the fix actually works.
Stop using Joomla! 2.5
This will not be the last time that users of Joomla! 2.5 will be left wondering whether someone will come to their rescue with a much-needed security fix.
And even then long after the hackers have been made aware of the issue and set their bots to work.
We therefore strongly recommend that users of Joomla! 2.5 either upgrade to Joomla! 3 or rebuild their website using the Joomla! 3 CMS.
You should only consider applying the Virtuemart security patch for Joomla! 2.5 if upgrade or rebuild is not feasible for you.
If you do choose to apply the security patch then you should first:
- perform a full back up of your website first, and
- make sure you applied the December 2015 security patch for Joomla! 2.5,
- and if you discover you did not apply the Dec 2015 security patch, roll back to the last known 'clean' backup you made prior to Dec 2015 and apply both security patches.
We recommend that ALL users of Joomla! install a Web Application Firewall.
Users of Joomla! 2.5 should certainly do so because Joomla! 2.5 is unlikely to be watertight even after applying the above security patches.
WYNCHCO Joomla! CMS Support
We coach, help and support managers with responsibility for Joomla! websites in organisations across Cheshire, Manchester, Merseyside, North West England & the UK.