Tested:
With: Seditio 165
No sanitization when fetching data from database.
And thanks to Seditio cms again! It stores private message body in database without any sanitization:
===========================================================================
mysql> select * from sed_pm \G
*************************** 1. row***************************
pm_id: 6
pm_state: 0
pm_date: 1334009749
pm_fromuserid: 1
pm_fromuser: admin
pm_touserid: 1
pm_title: <script>alert(1);</script>
pm_text: <script>alert(2);</script>
1 row in set (0.00 sec)
Due trust to this issuse pmoku plugin is vulnerable to XSS.
Vulnerable code section(From bottom: $pm_text = $row['pm_text']; will become unsanitized)
//plugins/pmoku/pmoku.admin.php
----------------------------------------Snip ------------------------------------
$sql = sed_sql_query("SELECT * FROM sed_pm ORDER by pm_date DESC LIMIT 0,50");
$plugin_body .= "<h4>".$L['editdeleteentries']." :</h4>";
$plugin_body .= "<table class=\"cells\"><tr>";
$plugin_body .= "<td class=\"coltop\">".$L['Delete']."</td>";
$plugin_body .= "<td class=\"coltop\">Tarih</td>";
$plugin_body .= "<td class=\"coltop\">GΡnderen</td>";
$plugin_body .= "<td class=\"coltop\">Konu</td>";
$plugin_body .= "<td class=\"coltop\">Mesaj</td>";
$plugin_body .= "<td class=\"coltop\">Alan</td>";
$plugin_body .= "</tr>";
while ($row = sed_sql_fetcharray($sql))
{
$pm_id = $row['pm_id'];
$pm_date = @date($cfg['dateformat'], $row['pm_date'] + $usr['timezone'] * 3600);
$pm_fromuser = $row['pm_fromuser'];
$pm_title = $row['pm_title'];
$pm_text = $row['pm_text'];
$pm_touserid = $row['pm_touserid'];
$plugin_body .= "<form id=\"saveallowlist_".$allowlist_id."\" action=\"admin.php?m=tools&p=adminallow&a=update&id=".$allowlist_id."\" method=\"post\">";
$plugin_body .= "<tr><td style=\"text-align:center;\">[<a href=\"admin.php?m=tools&p=pmoku&a=delete&id=".$pm_id."&".sed_xg()."\">x</a>]</td>";
$plugin_body .= "<td>$pm_date</td>";
$plugin_body .= "<td>$pm_fromuser</td>";
$plugin_body .= "<td>$pm_title</td>";
$plugin_body .= "<td>$pm_text</td>";
$plugin_body .= "<td>$pm_touserid</td>";
$plugin_body .= "<td><input type=\"submit\" class=\"submit\" value=\"".$L['Update']."\" /></td></tr></form>";
}
$plugin_body .= "</table>";
------------------------------EOF Snip ------------------------------------
Print screen:
http://s019.radikal.ru/i617/1204/b2/9c434fd50926.png
Special Thanks 2 MeTaiZm & 2 All AA Team.
+++++ Greetz to all ++++++
packetstormsecurity.*,securityfocus.com,cxsecurity.com,security.nnov.ru,securtiyvulns.com and to all others!