{"vuid":"VU#920931","idnumber":"920931","name":"phpBB does not adequately validate user input for language selection thereby allowing user to execute arbitrary php code","keywords":["phpBB","user input","language selection","execute arbitrary commands","eval()","page_header.php","auth.php"],"overview":"phpBB is an open-source bulletin board program. A user input validation problem exists with regard to language settings. An intruder can excute arbitrary php code and gain a shell  with the privileges of the web server on the system.","clean_desc":"Version 1.4.0 and earlier have a user input validation problem that can lead to the execution of arbitrary php code. The remote user can specify what language they would like to use and phpBB will set several critical variables based on the language file loaded. If a user specifies a non-existant language, phpBB does not check if the input is valid and no language file is loaded. The intruder can use a specially crafted URL to set the variables that should have been set by the language file. The variables are then processed by eval() and the intruder's php code is executed.","impact":"An intruder can excute arbitrary php code and gain a shell  with the privileges of the web server on the system.","resolution":"Upgrade to phpBB version 1.4.1.","workarounds":"","sysaffected":"","thanks":"This vulnerability was discovered by kill-9 <kill-9@modernhackers.com>.","author":"This document was written by Jason Rafail.","public":["http://www.securityfocus.com/bid/3167","http://sourceforge.net/project/shownotes.php?release_id=46274","http://phpBB.sourceforge.net/phpBB/"],"cveids":[""],"certadvisory":"","uscerttechnicalalert":null,"datecreated":"2001-08-13T12:47:59Z","publicdate":"2001-08-03T00:00:00Z","datefirstpublished":"2001-09-10T18:17:47Z","dateupdated":"2001-09-13T17:34:45Z","revision":11,"vrda_d1_directreport":"","vrda_d1_population":"","vrda_d1_impact":"","cam_widelyknown":"20","cam_exploitation":"10","cam_internetinfrastructure":"10","cam_population":"6","cam_impact":"15","cam_easeofexploitation":"17","cam_attackeraccessrequired":"15","cam_scorecurrent":"17.2125","cam_scorecurrentwidelyknown":"17.2125","cam_scorecurrentwidelyknownexploited":"21.515625","ipprotocol":"","cvss_accessvector":"","cvss_accesscomplexity":"","cvss_authentication":null,"cvss_confidentialityimpact":"","cvss_integrityimpact":"","cvss_availabilityimpact":"","cvss_exploitablity":null,"cvss_remediationlevel":"","cvss_reportconfidence":"","cvss_collateraldamagepotential":"","cvss_targetdistribution":"","cvss_securityrequirementscr":"","cvss_securityrequirementsir":"","cvss_securityrequirementsar":"","cvss_basescore":"","cvss_basevector":"","cvss_temporalscore":"","cvss_environmentalscore":"","cvss_environmentalvector":"","metric":17.2125,"vulnote":null}