TorrentPier Authenticated SQL Injection Vulnerability in Moderator Control Panel

An authenticated SQL injection vulnerability has been identified in TorrentPier versions through 2.8.8. The issue resides in the moderator control panel (`modcp.php`), where user-supplied `topic_id` parameters are not properly sanitized before being included in SQL queries. This vulnerability allows moderators to execute arbitrary SQL commands, potentially leading to unauthorized data disclosure, modification, or deletion within the database.

Impact

Exploitation of this vulnerability allows authenticated moderators to execute arbitrary SQL queries, with the potential to read, modify, or delete any data in the database. This includes sensitive information such as user credentials, private messages, and email addresses. Additionally, it could be used to alter forum data or escalate privileges by modifying user roles.

Reproduction

To reproduce this vulnerability, log in as a moderator and access the moderator control panel. The `topic_id` parameter can be manipulated to inject SQL payloads. This vulnerability can be exploited manually or automated using tools like `sqlmap`, targeting the `t` parameter in `modcp.php`. The injection can be confirmed by extracting data from the database, such as the current database name.

Remediation

Users can update to TorrentPier version 2.8.9 or later, where this vulnerability has been patched.