Just like the Click-Jacking style Joomla CMS hijacking. CSRF and Automation are needed to infect blogs, CMS, forums, and etc. Possible? Yes indeed!

Scenario :

• Victim log in to his/her blog, and does not sign out from it.
• Victim visits a malicious site with Click-Jacking, any clicks there will trigger a CSRF attack which will attempt to insert a script into victims blog theme. (Just like WordPress Theme Editor)
• The script will generate an iFrame containing Click-Jacking
• Now the victim’s blog become a zombie that will attempt to infect all his/her blog’s visitors blog.

Isn’t it lovely? Just a thought . . .

How it works :

- First a victim logged into his Joomla Powered site Administration Control Panel

- He didn’t logged out from the service

- He visited a malicious site

- He clicked on something (anything on the page)

- By the time he clicked, his Joomla Powered site password has been changed without his notice

Combining Click-jacking & CSRF, the clicked trigger a password change request to the Joomla site using the victim privilege. Thus the attack was success, the victim’s site admin password changed.

Here is the link : http://www.hackers.web.id/clickjacking-joomla.rar