CVE-2001-1471

Description

prefs.php in phpBB 1.4.0 and earlier allows remote authenticated users to execute arbitrary PHP code via an invalid language value, which prevents the variables (1) $l_statsblock in prefs.php or (2) $l_privnotify in auth.php from being properly initialized, which can be modified by the user and later used in an eval statement.

CVSS breakdown

CVSS 3.1

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Affected products

phpBB / phpBB1.4.0

References

MISChttp://www.derkeiler.com/Mailing-Lists/securityfocus/bugtraq/2001-08/0087.html
MISChttp://archives.neohapsis.com/archives/bugtraq/2001-08/0123.html
MISChttps://exchange.xforce.ibmcloud.com/vulnerabilities/6944
MISChttp://www.kb.cert.org/vuls/id/920931
MISChttp://www.securityfocus.com/bid/3167