phpBB 1.4 - Remote SQL Query Manipulation Vulnerability

ID EDB-ID:21046
Type exploitdb
Reporter kill-9
Modified 2001-08-03T00:00:00


phpBB 1.4 Remote SQL Query Manipulation Vulnerability. CVE-2001-1472. Webapps exploit for php platform


phpBB is free, open-source, easy-to-use web forums software.

An issue exists in phpBB which allows a remote attacker to manipulate SQL queries in such a way as to gain an administrative account with the service.

This problem is due to improper validation of user-supplied input by certain variables in phpBB. This issue can be exploited by making a cleverly crafted web request that contains arbitrary user-supplied replacement values.

One consequence of successful exploitation is that the attacker will be privy to user information. 



1. Register an account on a phpBB board version
1.4.x .
2. Enter above URL with the correct sitename
and replace l337h4x0r with your username.
3. Click on "Administration Panel" near the bottom of
the page.