This is my first report to bugtraq, I hope this is useful. This has been tested on vBulletin version 2.2.0. The vendor is CC'd on this message. I would imagine this applies to many products, not just the vbulletin, which I would like to say is more secure than most.
It involves a few different parts, firstly some malicious scripting and then tricking the forum into accepting data from the wrong place.
First, I post some malicious html in a reply to a topic that allows HTML:
/bbuserid=86;%20bbpassword=dd6169d68822a116cd97e1fbddf90622;%20sessionhash=a 4719cd620534914930b86839c4bb5f8;%20bbthreadview=1012444064;%20bblastvi sit=1011983161
At first I thought this was useless since the forum uses a one-way encryption hash to protect the password... however, then it occurred that If I log out and clear my cookies, I can add these variables into the url of any page and the forum will use those variables to log me in transparently, just like it ordinarily does when you leave the forum and come back. So I added the variables to the url and bingo, it logged me in as a moderator of the forum, who was being my guinea pig.
Disable html, make sure that there is absolutely nowhere on the page where html can be echoed onto a page. Disable the [img] tag for good measure.
Ensure that $bbuserid, $bbpassword, and the rest of the cookied variables are coming from the cookie and not from GET or POST data, by using the $HTTP_COOKIE array.