CVE-2003-0486

An attacker can exploit this vulnerability by sending a crafted GET request to `viewtopic.php` with a modified `topic_id` parameter. This parameter is directly incorporated into a SQL query without sufficient sanitization, allowing for SQL injection. The attacker can then use a UNION-based SQL query to extract sensitive information, such as user password hashes, from the `phpbb_users` table [ref_id=1].

The vulnerability resides in the `viewtopic.php` script, specifically in how the `topic_id` variable is handled. The script retrieves the `topic_id` from GET parameters and passes it directly into a SQL query without adequate sanitization, as shown in the provided exploit details [ref_id=1].

The advisory indicates that the fix involves modifying the `viewtopic.php` script to properly sanitize the `topic_id` parameter. While a specific patch diff is not provided, the general recommendation is to ensure that user-supplied input used in SQL queries is validated and escaped to prevent injection attacks [ref_id=1].

The provided reference [ref_id=1] includes a Perl script that demonstrates how to exploit this vulnerability by sending crafted HTTP requests to extract password hashes. The script iterates through characters of the password hash, constructing a UNION query for each character position.