By manipulating the s: (serialized string) parameters, an attacker could bypass the disableOutput flag on blocks. In plain English:
Numerous Proof of Concept (PoC) scripts were hosted on GitHub to demonstrate how the exploit functioned. While intended for security researchers and developers to test their own systems, these scripts were also utilized by malicious actors. Mitigation and Safety magento 1.9.0.0 exploit github
If you are securing a legacy 1.9.0.0 site, the following steps are mandatory: Apply Patches: Install the SUPEE-5344 SUPEE-1533 patches immediately. By manipulating the s: (serialized string) parameters, an