search menu icon-carat-right cmu-wordmark

CERT Coordination Center

phpBB does not adequately validate user input for language selection thereby allowing user to execute arbitrary php code

Vulnerability Note VU#920931

Original Release Date: 2001-09-10 | Last Revised: 2001-09-13


phpBB is an open-source bulletin board program. A user input validation problem exists with regard to language settings. An intruder can excute arbitrary php code and gain a shell with the privileges of the web server on the system.


Version 1.4.0 and earlier have a user input validation problem that can lead to the execution of arbitrary php code. The remote user can specify what language they would like to use and phpBB will set several critical variables based on the language file loaded. If a user specifies a non-existant language, phpBB does not check if the input is valid and no language file is loaded. The intruder can use a specially crafted URL to set the variables that should have been set by the language file. The variables are then processed by eval() and the intruder's php code is executed.


An intruder can excute arbitrary php code and gain a shell with the privileges of the web server on the system.


Upgrade to phpBB version 1.4.1.

Vendor Information


PHPBB Affected

Updated:  August 16, 2001



Vendor Statement

This release [phpBB 1.4.1] fixed major security holes that allow malicious users to re-write the URL to gain admin status or allow the malicious use of HTML or BBCode to gain admin status.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.


The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

CVSS Metrics

Group Score Vector



This vulnerability was discovered by kill-9 .

This document was written by Jason Rafail.

Other Information

CVE IDs: None
Severity Metric: 17.21
Date Public: 2001-08-03
Date First Published: 2001-09-10
Date Last Updated: 2001-09-13 17:34 UTC
Document Revision: 11

Sponsored by CISA.