Information: The IP-Tracking Mod is a Extension for phpBB2.0.x which
logs all Page hits the user of the Boards do including Referer, IP and
Username. It contains a SQL-Injection on Admin-Level. You can get it
Steps to reproduce: Go into your ACP, select under IP-Tracking
IP-Search, select "no" at use wildcards and enter in Search Query what
you want. It is direct passed through the Query. As Search Type I used IP.
' UNION SELECT user_password as
as Search-Query. This will display you all the hashed Userpasswords in IP