Hole in Joomla CMS allows addition of admin accounts
The vulnerability was published on December 27 and was already fixed along with two other CSRF vulnerabilities in version 1.5 RC4 in mid December. However, version 1.0.13 still contains the hole. The developers are said to be working on an update. Until it is released, users working in their CMS are advised not to open additional browser windows. According to reports, however, it is not enough to close the window after finishing work in the CMS before visiting other pages. Instead, users must close the session by actively logging out of the backend.
Another example of a potential CSRF attack was recently found in the WRT54GL Linksys router.
- Multiple CSRF in Joomla all versions - Complete compromise , error report by Zinho
- Joomla 1.0.13 CSRF , error report by Jose Carlos Nieto
- Multiple CSRF in Joomla, Joomla forum discussion of the vulnerability