Hi,

Register user is able to trigger a general error by supplying unvalidated data resulting in an invalid SQL query.

First of all, I do understand the end result ( getting the admin email address ) is part of system, but I would like to advise against it.

How to reproduce:

UCP->Board preferences->Edit display options->Display posts ordering by
Input is not properly validated, user can have the system to insert any single characters into the database. Example: 'x'

After the user visit any topics a general error will be seen including admin password:
—
General Error
SQL ERROR [ mysqli ]

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'ASC LIMIT 10' at line 7 [1064]

An SQL error occurred while fetching this page. Please contact the Board Administrator if this problem persists.
—

In viewtopics.php line 38 the previous unvalidated input used as $default_sort_key -> $sort_key and later on at line 971 :
$sql_sort_order = $sort_by_sql[$sort_key] . ' ' . $direction

As the 'x' array entry is nonexistent, the final sql query will be invalid:
SELECT p.post_id FROM phpbb_posts p WHERE p.topic_id = 2 AND p.post_approved = 1 ORDER BY ASC.

The issue might be seen as a simple functional bug, but I strongly believe getting the admin email gives a huge advantage for the attacker.

Regards,
Marcell