popup.php in Virtual War (aka VWar) 1.6.1 R2 allows remote attackers to bypass intended member restrictions and read news posts via a modified newsid parameter in a printnews action.Referenceshttp://dmcdonald.net/vwar.txthttp://seclists.org/fulldisclosure/2010/Aug/235
