This is a false vulnerability, correct? You won't be able to see the cookie, unless you are on the administrators computer, and logged in as him right?

Cross Site Scripting Vulnerability 1 :

Vulnerable File : administrator/popups/index3pop.php

Vulnerable Line (5) : <title><?php echo $mosConfig_sitename; ?> - Administration [Mambo]</title>

Vulnerable Variable : mosConfig_sitename

For Example : http://Example/administrator/popups/index3pop.php?mosConfig_sitename=</title><script>alert(document.cookie)</script>

Attacker can hijack administrator cookie and session and login with they

http://www.milw0rm.com/exploits/6438

It's not quite so simple as that. An Authentication Bypass Exploit is one of the trickier Cross Site Scripting Exploits out there. By posting code on a particular site that you know an administrator goes to, you can extract the cookie he used to authenticate. You can then use that cookie (until it expires or the administrator logs off) to perform administrative actions on the site.

An easy fix for mostly disabling this exploit is to associate a randomly-generated session key with the cookie. As the administrator posts data or navigates pages, generate the key and put it in the POST or COOKIE. When the next page loads, compare the key in the session with the key in the POST or COOKIE. If they match, the administrator is authenticated and you destroy the key.

If the cookie is intercepted, the key it contains is only valid for that one single transfer, and cannot be used for other possibly malicious means.