Pacer Edition CMS 2.1 Remote XSS POST Injection Vulnerability

Title: Pacer Edition CMS 2.1 Remote XSS POST Injection Vulnerability
Advisory ID: ZSL-2011-5018
Type: Remote
Impact: Cross-Site Scripting
Risk: (3/5)
Release Date: 09.06.2011
Summary
The 'Pacer Edition' is a Content Management System(CMS) written using PHP 5.2.9 as a minimum requirement. The Pacer Edition CMS was based from Website baker core and has been completely redesigned with a whole new look and feel along with many new advanced features to allow you to build sites exactly how you want and make them, 100% yours!
Description
Pacer Edition CMS suffers from a XSS vulnerability when parsing user input to the 'email' parameter via POST method in 'admin/login/forgot/index.php'. Attackers can exploit this weakness to execute arbitrary HTML and script code in a user's browser session.

--------------------------------------------------------------------------------

/admin/login/forgot/index.php
----------------
77: if(isset($_POST['email']) AND $_POST['email'] != "") {
78:
79: $email = $_POST['email'];
80:
81: // Check if the email exists in the database
82: $query = "SELECT user_id,username,display_name,email,last_reset,password FROM ".TABLE_PREFIX."users WHERE email = '".$admin->add_slashes($_POST['email'])."'";
83: $results = $database->query($query);

--------------------------------------------------------------------------------

Vendor
The Pacer Edition - http://www.thepaceredition.com
Affected Version
RC 2.1 (SVN: 867)
Tested On
Microsoft Windows XP Professional SP3 (EN)
Apache 2.2.14 (Win32)
PHP 5.3.1
MySQL 5.1.41
Vendor Status
N/A
PoC
pacercms_xss.html
Credits
Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk>
References
[1] http://packetstormsecurity.org/files/102140
[2] http://securityreason.com/wlb_show/WLB-2011060036
[3] http://xforce.iss.net/xforce/xfdb/67975
[4] http://www.securityfocus.com/bid/48215
Changelog
[09.06.2011] - Initial release
[10.06.2011] - Added reference [2]
[11.06.2011] - Added reference [3] and [4]
Contact
Zero Science Lab

Web: http://www.zeroscience.mk
e-mail: lab@zeroscience.mk