Multiple SQL injection vulnerabilities in phpbb-Auction allow remote attackers to execute arbitrary SQL commands via the (1) u parameter to auction_rating.php or (2) ar parameter to action_offer.php.
https://exchange.xforce.ibmcloud.com/vulnerabilities/20203
http://www.securityfocus.com/archive/1/441190/100/0/threaded