=======================================================
  Multiple vulnerabilities in punbb-1.2.1 profile.php
=======================================================

 Description
 -----------

A remote attacker without an account can set the password
of any user on the system to NULL, effectivley shuting
them out of the system.

A user on the system can also inject an arbitrary
SQL statement using the change email feature. This has
occured because of a fault in the is_valid_email function
which returns true for strings that are not even close to
being a valid email.

This also affects systems using the magic_quotes_gpc
option in php.ini.

By combining these two an attacker with an account on
the forum can change the password for any user to anything
he/she wants to, gaining full access to the administrator
account.

 Proof of concept
 ----------------

Examples of the damage the DoS attack and arbitrary
SQL statement attacks can do on their own has been
omitted. This is a demonstration of their power when
combined.

Assumptions for this particular example:
 - There is a user on the system with id 3 that has
   username/password set to 'sha'/'passwd'.
 - The cookie is valid for sha on system
 - The system supports sha1.
 - The new password for the id 2 account is supposed to
   be 'newpass'.

curl --cookie punbb_cookie=<valid cookie> --form form_sent=1 --form req_new_email="6c55803d6f1d7a177a0db3eb4b343b0d50f9c111' -- sha@punbb.com" http://target/profile.php?action=change_email\&id=3

This will push the sha1 encrypted password 'newpass'
into every users activate_string field. All that needs
to be done is pushing this field to the password field
of any user we want using the other bug.

curl http://target/profile.php?action=change_pass\&id=2\&key=

Now the account with user id 2 has the password 'newpass' set.