By this serious bug the attacker can steal the sid of the victim . by checking the referer URL ..
In popular topics , the number of victims maybe hundreds !!!
How to do it ??!
As we can see in the attached image file , the sid obtained the the URL in many places , after actions like browsing the post before sending it , of browsing the PMs ..

Then if you posted an URL such as : anysite/anything/image.php that returns an IMAGE that should be viewed in the post , but before the request has finished , the image.php file will check and store the REFERER URL of the member who Clicked BROWS button that contains the SID !! ..

EX:
Try to post an image via bbcode : [img]yousite/image.php[/img] that image.php does what i mentioned above.

Every member who clicks Brows button before posting, will se the previous posts are loaded below the posting form , and so the post that contains our file "image.php" will be loaded too , and then a request to "image.php" will be made ,then the referer that contains the SID was sent too with the request .
I call this BUG "O-C-K" or One Click Kill ..

Thanks a lot ...
BlzOfHK
Bye..