Ultimate PHP Board SQL Injection Vulnerability in Password Recovery Feature

A SQL injection vulnerability has been identified in Ultimate PHP Board version 2.2.7. This issue arises in the password recovery feature, specifically within the 'lostpassword.php' file. The vulnerability allows attackers to manipulate the SQL query by injecting malicious payloads through the username field, potentially leading to unauthorized data access or modification.

Impact

Exploitation of this vulnerability could bypass authentication, allowing unauthorized access to user accounts. Additionally, it could lead to the extraction of sensitive information or a full compromise of the application's database.

Reproduction

To reproduce this vulnerability, send a request to the 'lostpassword.php' page with a crafted payload in the username field. The payload should be designed to exploit the SQL injection flaw, such as injecting SQL syntax that manipulates the query execution. For example, using ' OR '1'='1' -- as the username input can bypass authentication checks by exploiting the SQL query logic.