An unvalidated parameter on an partner reporting page (report_xml.php) could be used to read certain SQL data from a single backing database.