The hacker enters a script as the subject of a priv mesg, containing some script commands and this text:
This will copy the contents of your cookie to some kind of database or log file on that other site. As mentioned previously, postnuke does let the hack do this, but the cookie data isn't in raw text form so it theoretically shouldn't do them any good.
I'm working on a fix to parse out the "script" command from priv_msg (I'm still on .63, not sure if other pn versions are affected)
Also, a warning for our friend here... I've been at this internet thing a long time and I have the time, the know-how, and now the motive to inflict slow and painful revenge.