CVE-2003-1373

Name of the Vulnerable Software and Affected Versions PhpBB versions 1.4.0 through 1.4.4

Description A directory traversal issue exists, allowing remote attackers to read and include arbitrary files. This is achieved by using .. (dot dot) sequences followed by NULL (%00) characters in CGI parameters. For example, this can be demonstrated using the lang parameter in "prefs.php".

Recommendations For PhpBB versions 1.4.0 through 1.4.4, consider restricting access to the auth.php file and the prefs.php page to minimize the risk of exploitation. Avoid using the lang parameter in the "prefs.php" page until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.