CVE-2001-1471

Name of the Vulnerable Software and Affected Versions phpBB versions 1.4.0 and earlier

Description The issue allows remote authenticated users to execute arbitrary PHP code via an invalid language value. This prevents the variables $l statsblock in prefs.php or $l privnotify in auth.php from being properly initialized. These variables can be modified by the user and later used in an eval statement, leading to code execution.

Recommendations For phpBB versions 1.4.0 and earlier, consider disabling the language selection feature in prefs.php until a patch is available. Restrict access to the prefs.php and auth.php files to minimize the risk of exploitation. Avoid using the $l statsblock and $l privnotify variables in eval statements until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.