CVE-2004-1315

EXPLOITED

phpBB 2.x < 2.0.11 - Remote Code Execution via Double-Encoded Highlight Parameter

Title source: llm
STIX 2.1

Exploitation Summary

CVE-2004-1315 has been observed exploited in the wild (reported by VulnCheck KEV). EIP tracks 4 public exploits from researchers including RusH, sasan hezarkhani, Michael Brooks.

AI-analyzed exploit summary This Perl script exploits a remote command execution vulnerability in phpBB versions up to 2.0.10 by injecting malicious commands via the 'highlight' parameter in the viewtopic.php script. It URL-encodes the payload and sends it via an HTTP GET request to execute arbitrary commands on the target server.

Description

viewtopic.php in phpBB 2.x before 2.0.11 improperly URL decodes the highlight parameter when extracting words and phrases to highlight, which allows remote attackers to execute arbitrary PHP code by double-encoding the highlight value so that special characters are inserted into the result, which is then processed by PHP exec, as exploited by the Santy.A worm.

Exploits (4)

exploitdb WORKING POC VERIFIED
by RusH · perlwebappsphp
https://www.exploit-db.com/exploits/647

This Perl script exploits a remote command execution vulnerability in phpBB versions up to 2.0.10 by injecting malicious commands via the 'highlight' parameter in the viewtopic.php script. It URL-encodes the payload and sends it via an HTTP GET request to execute arbitrary commands on the target server.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: phpBB <= 2.0.10
No auth needed
Prerequisites: Target server running phpBB <= 2.0.10 · Network access to the target server · A valid topic ID on the target forum
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by sasan hezarkhani · perlwebappsphp
https://www.exploit-db.com/exploits/24274

This exploit leverages a PHP script injection vulnerability in phpBB's 'viewtopic.php' by manipulating URI parameters to execute arbitrary commands. It encodes the payload in hexadecimal to bypass sanitization and injects a 'passthru' function call.

Classification
Working Poc 90%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: phpBB (version not specified, likely <= 2.0.10)
No auth needed
Prerequisites: Vulnerable phpBB installation · Ability to send crafted HTTP requests to the target
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC
by Michael Brooks · phpwebappsphp
https://www.exploit-db.com/exploits/12510

This exploit leverages a blind SQL injection vulnerability in PHP-Nuke 7.0/8.1/8.1.35 to extract sensitive information such as MD5/SHA1 hashes and arbitrary strings from the database. It bypasses protections like AppArmor and Suhosin Hardened-PHP by using a custom LFI+SQLI attack.

Classification
Working Poc 95%
Attack Type
Sqli
Complexity
Moderate
Reliability
Reliable
Target: PHP-Nuke 7.0/8.1/8.1.35
No auth needed
Prerequisites: Target running PHP-Nuke 7.0/8.1/8.1.35 · Access to the target URL
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC
rubywebappsphp
https://www.exploit-db.com/exploits/16890

This Metasploit module exploits a PHP code injection vulnerability in phpBB's viewtopic.php via the 'highlight' parameter, leveraging improper input validation in preg_replace(). It supports multiple versions and automatically detects the appropriate exploit method.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: phpBB 2.0.4 through 2.0.15
No auth needed
Prerequisites: A valid topic ID or the ability to discover one via brute-force
devstral-2 · analyzed Feb 19, 2026 Full analysis →

References (11)

Core 11
Core References
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/10701
Third Party Advisory vendor-advisory x_refsource_gentoo
https://security.gentoo.org/glsa/200411-32
Mailing List mailing-list x_refsource_bugtraq
http://marc.info/?l=bugtraq&m=110365752909029&w=2
Third Party Advisory, VDB Entry vdb-entry x_refsource_xf
https://exchange.xforce.ibmcloud.com/vulnerabilities/18052
Vendor Advisory x_refsource_confirm
http://www.phpbb.com/phpBB/viewtopic.php?t=240513
Patch, Third Party Advisory, US Government Resource third-party-advisory x_refsource_cert-vn
http://www.kb.cert.org/vuls/id/497400
Patch, Third Party Advisory, US Government Resource third-party-advisory x_refsource_cert
http://www.us-cert.gov/cas/techalerts/TA04-356A.html
Patch, Vendor Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/13239/
Mailing List mailing-list x_refsource_bugtraq
http://marc.info/?t=110079440800004&r=1&w=2
Third Party Advisory, VDB Entry mailing-list x_refsource_bugtraq
http://www.securityfocus.com/archive/1/385208
Mailing List mailing-list x_refsource_bugtraq
http://marc.info/?l=bugtraq&m=110029415208724&w=2

Scores

EPSS 0.8591
EPSS Percentile 99.4%

Details

VulnCheck KEV 2017-06-20
Status published
Products (29)
phpbb_group/phpbb
phpbb_group/phpbb 1.0.0
phpbb_group/phpbb 1.0.1
phpbb_group/phpbb 1.2.0
phpbb_group/phpbb 1.2.1
phpbb_group/phpbb 1.4.0
phpbb_group/phpbb 1.4.1
phpbb_group/phpbb 1.4.2
phpbb_group/phpbb 1.4.4
phpbb_group/phpbb 2.0.0
... and 19 more
Published Nov 12, 2004
Tracked Since Feb 18, 2026