phpBB password disclosure by sql injection

["Rick" <rikul () bellsouth net>]

Hi

There is sql injection vuln in phpBB. The variable "topic_id" is passed
directly from GET to sql query in /viewtopic.php. It can be used 
to get md5 passwords for users. I am attaching details and proof of
concept code.  I've only tested this on mysql 4 and pgsql at my home
machines so I might have missed something...

Rick Patel

Attachment: phpbb_sql.pl
Description: