This is a reply to Radeks blog The currently discovered bug in VirtueMart is ...
All quotations in this article are from the Radek Suski's blog The currently discovered bug in VirtueMart is ...
Thank you Radek for this sensible blog post. From my point of view, there are a lot of misconceptions, that means your assumptions or what you have heard is not right. I can understand that, because I wrote our news from my memory while I was on holidays.
The first misconception of the whole issue is this:
Despite the attempts of VM developers to pin this vulnerability to Joomla!
I wrote in our news
and it should be also fixed in the JUser to prevent misuse of it. It exactly says that we used it wrong. So we admit our error here. So anyone who blames us for blaming Joomla, did not read exactly.
I am a bit astonished and disappointed about particular medias reaction and also about VirtueMart efforts to declare that this is Joomla!'s issue.
We are also very disappointed. I was informed by the Sucuri team 2 days before my holiday about the security issue. As mentioned everywhere, we did the fix in record time. I also tried to get in informal contact with some Joomla LT members to talk about the issue and how to proceed. Actually my question is not if it is the fault of A or B. My intention was just to make it secure for everyone as best as possible. So if we use a car analogy, Joomla works imho like a car without central locking. Yes, we forget to lock all our doors sometimes, but actually it is so easy to add a central locking. Please read my news again and you will see that I do not blame Joomla. I just explained why we did not directly proceed with the Full Disclosure. So, please, anyone who is thinking that I blamed Joomla, take a step back and take a deep breath and understand that we did not.