5. HowTo Install Joomla! locally Open in Firefox Login to Admin Module Change POSTs to GETs Insert script tags and alert (‘xss’) on various URL parameters If (alert=true) { print “yay!!”}
6. Technojabble The search parameter Exploit code " onmousemove=alert('xss') /> " onmousemove=alert(document.cookie) /> " onmousemove=window.location.assign(url) /> 17 component modules All versions prior to 1.5.18 Phishing, malware download, cookie stealing etc.
7. Timeline Discovered between May 10th -12th Informed JSST on May 13th Acknowledged on May 13th Constant updates Fixed version release May 28th Fixed Version 1.5.18 [latest stable] Bugtraq and Secunia June 2nd NVD June 4th