__fuzion___    ____     
       ______/   \__//   \__/____\    
     _/   \_/  :           //____\\   
    /|      :  :  ..      /        \  
   | |     ::     ::      \        /  
   | |     :|     ||     \ \______/   
   | |     ||     ||      |\  /  |    
    \|     ||     ||      |   / | \   
     |     ||     ||      |  / /_\ \  
     | ___ || ___ ||      | /  /    \ 
      \_-_/  \_-_/ | ____ |/__/      \
                   _\_--_/    \      /
                  /____             / 
                 /     \           /  
                 \______\_________/   


Product:
Seagull STABLE 0.6.3
http://seagullproject.org/

Vulnerable:
Seems that none of the theme css renderers sanatize variables against cross site scripting.
Register Globals = ON

Multiple Cross Site Scripting problems:
http://[site]/themes/default1/css/blockStyle.php?secondary=[xss]

Also vulnerable:
themes/default1/css/core.php
themes/default1/css/event.php
themes/default1/css/media.php
themes/default1/css/publisher.php
themes/default1/css/SglDefault_TwoLevel.nav.php
themes/default1/css/SglListamaticSubtle.nav.php
themes/default_admin/css/adminMenu_vertical.nav.php
themes/default_admin/css/block.php
themes/default_admin/css/blockStyle.php
themes/default_admin/css/cms.php
themes/default_admin/css/comment.php
themes/default_admin/css/core.php
themes/default_admin/css/navigation.php
themes/default_admin/css/publisher.php
themes/default_admin/css/user.php

Some common vulnerable variables:
secondary
fontFamilyAlt
primaryLight
greyLightest
leftColWidth
grey
primaryDark
primary
baseUrl

Several of these cause path disclosure as well:
http://[site]/themes/default_admin/css/core.php
PoC:
http://demo.seagullproject.org/themes/default_admin/css/core.php

Other vulnerabilties may be available if Seagull was not properly installed:
http://[site]/[path]/etc/mysql5_field_test.php?res=[xss]
http://[site]/[path]/modules/event/www/css/event.php?baseUrl=[xss]
http://[site]/[path]/modules/media/www/css/media.php?greyDark=[xss]