This is a very interesting vulnerability. Its a SQL injection vulnerability in the password reset function. The code that actually resets the password is this..
$db->setQuery('SELECT id FROM #__users WHERE block = 0 AND activation = '.$db->Quote($token));
Token is supposed to a verification code that is sent to your email address when you request a password reset. BUT if you just say your token is an ampersand then the SQL statement looks like this...
SELECT id FROM jos_users WHERE block = 0 AND activation = ''
Which select the first account in the database (ADMINISTRATOR) for a password reset. The next screen that appears is where your prompted for a new admin password. Sorry Dude, Your website was 0wn3d by a single character.
Once the attacker had admin access, he added his own php code (c99 shell) and had full access to the apache instance (as the apache user). So why only a small image in a small frame when he had access to SO much more? Who knows. Perhaps good fortune. Perhaps they caught it early. The attack certainly did not require much work. Just about anyone could pull it off. Maybe he didn't know what he was doing, but my guess is there were a TON of websites out there that required his attention. The PUBLIC disclosure of the PHP vulnerability was about 48 hours old at the time. 48 hours isn't enough time to move through most change control processes. There were probably many more fish to fry.
If you haven't patched. Go ahead and do it and save yourself some heartache.