Sunday 3 June 2012

[EN] Joomla 2.5.4 - remote user logout bug

Yes, that seems to be, that in (still) latest Joomla (2.5.4) we have a so-called-bug.

By sending malformed request to the user, we are able to "logout" him.

Why this could be used for attack? So, badguy, can change (deface) your companys site,
and add there a password-stealer (to php code for example).

Now he can logout all users like a sniper. ;]

(Yes yes, there is a way from admin panel to do the same, but who cares...? ;))

I want finish some test right now, and for a few hours there will be update here.

...and thanks for watching at all-this-break ;)

Cheers o/
;)

No comments:

Post a Comment

What do You think...?