============================================================================
Vulnerable Software: PmOS - Pm Okuma Sistemi [plugin for Seditio CMS].
http://seditio-eklenti.com/datas/users/1-pmoku.rar (MD5 SUM: 88235c2b4b0613bff87545d2d887f042 *1-pmoku.rar)
http://seditio-eklenti.com/seditio-pm-okuma-eklentisi-d46.html
============================================================================
About Software:
PmOS - Pm Okuma Sistemi [plugin for Seditio CMS]
gives ability to administrators to read anothers PM's (Private messages)
============================================================================
Tested:
With: Seditio 165

*php.ini MAGIC_QUOTES_GPC OFF*
Safe mode off
/*
OS: Windows XP SP2 (32 bit)
Apache: 2.2.21.0
PHP Version: 5.2.17.17
mysql> select version()
-> ;
+-----------+
| version() |
+-----------+
| 5.5.21 |
+-----------+
*/
============================================================================
Vuln Desc:
Due Insufficent sanitization this plugin is prone Cross Site Scripting Vulnerability(Persistent Cross Site Scripting vuln)
============================================================================

No sanitization when fetching data from database.
And thanks to Seditio cms again! It stores private message body in database without any sanitization:

===========================================================================
mysql> select * from sed_pm \G
*************************** 1. row ***************************
        pm_id: 6
     pm_state: 0
      pm_date: 1334009749
pm_fromuserid: 1
  pm_fromuser: admin
  pm_touserid: 1
     pm_title: <script>alert(1);</script>
      pm_text: <script>alert(2);</script>
1 row in set (0.00 sec)

mysql>
===========================================================================

Due trust to this issuse pmoku plugin is vulnerable to XSS.
                   Vulnerable code section(From bottom: $pm_text = $row['pm_text']; will become unsanitized)
//plugins/pmoku/pmoku.admin.php
----------------------------------------Snip ------------------------------------
$sql = sed_sql_query("SELECT * FROM sed_pm ORDER by pm_date DESC LIMIT 0,50");

$plugin_body .= "<h4>".$L['editdeleteentries']." :</h4>";
$plugin_body .= "<table class=\"cells\"><tr>";
$plugin_body .= "<td class=\"coltop\">".$L['Delete']."</td>";
$plugin_body .= "<td class=\"coltop\">Tarih</td>";
$plugin_body .= "<td class=\"coltop\">Gцnderen</td>";
$plugin_body .= "<td class=\"coltop\">Konu</td>";
$plugin_body .= "<td class=\"coltop\">Mesaj</td>";
$plugin_body .= "<td class=\"coltop\">Alan</td>";
$plugin_body .= "</tr>";

while ($row = sed_sql_fetcharray($sql))
	{
	$pm_id = $row['pm_id'];
	$pm_date = @date($cfg['dateformat'], $row['pm_date'] + $usr['timezone'] * 3600);
	$pm_fromuser = $row['pm_fromuser'];
	$pm_title = $row['pm_title'];
	$pm_text = $row['pm_text'];
	$pm_touserid = $row['pm_touserid'];
	$plugin_body .= "<form id=\"saveallowlist_".$allowlist_id."\" action=\"admin.php?m=tools&p=adminallow&amp;a=update&amp;id=".$allowlist_id."\" method=\"post\">";
	$plugin_body .= "<tr><td style=\"text-align:center;\">[<a href=\"admin.php?m=tools&p=pmoku&amp;a=delete&amp;id=".$pm_id."&amp;".sed_xg()."\">x</a>]</td>";


$plugin_body .= "<td>$pm_date</td>";
	$plugin_body .= "<td>$pm_fromuser</td>";
		$plugin_body .= "<td>$pm_title</td>";
			$plugin_body .= "<td>$pm_text</td>";
			$plugin_body .= "<td>$pm_touserid</td>";
	$plugin_body .= "<td><input type=\"submit\" class=\"submit\" value=\"".$L['Update']."\" /></td></tr></form>";
	}
$plugin_body .= "</table>";
------------------------------EOF Snip ------------------------------------

Print screen:
http://s019.radikal.ru/i617/1204/b2/9c434fd50926.png


Special Thanks 2 MeTaiZm & 2 All AA Team.
+++++ Greetz to all ++++++
packetstormsecurity.*,securityfocus.com,cxsecurity.com,security.nnov.ru,securtiyvulns.com and to all others!