VYPR
← All advisories
Unrated severityNVD Advisory· Published Dec 29, 2003· Updated Jun 16, 2026

CVE-2003-1215

CVE-2003-1215

Description

SQL injection vulnerability in groupcp.php for phpBB 2.0.6 and earlier allows group moderators to perform unauthorized activities via the sql_in parameter.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected products

20
  • PhpBB/phpBB20 versions
    cpe:2.3:a:phpbb_group:phpbb:1.0.0:*:*:*:*:*:*:*+ 19 more
    • cpe:2.3:a:phpbb_group:phpbb:1.0.0:*:*:*:*:*:*:*
    • cpe:2.3:a:phpbb_group:phpbb:1.2.0:*:*:*:*:*:*:*
    • cpe:2.3:a:phpbb_group:phpbb:1.2.1:*:*:*:*:*:*:*
    • cpe:2.3:a:phpbb_group:phpbb:1.4.0:*:*:*:*:*:*:*
    • cpe:2.3:a:phpbb_group:phpbb:1.4.1:*:*:*:*:*:*:*
    • cpe:2.3:a:phpbb_group:phpbb:1.4.2:*:*:*:*:*:*:*
    • cpe:2.3:a:phpbb_group:phpbb:1.4.4:*:*:*:*:*:*:*
    • cpe:2.3:a:phpbb_group:phpbb:2.0.0:*:*:*:*:*:*:*
    • cpe:2.3:a:phpbb_group:phpbb:2.0.1:*:*:*:*:*:*:*
    • cpe:2.3:a:phpbb_group:phpbb:2.0.2:*:*:*:*:*:*:*
    • cpe:2.3:a:phpbb_group:phpbb:2.0.3:*:*:*:*:*:*:*
    • cpe:2.3:a:phpbb_group:phpbb:2.0.4:*:*:*:*:*:*:*
    • cpe:2.3:a:phpbb_group:phpbb:2.0.5:*:*:*:*:*:*:*
    • cpe:2.3:a:phpbb_group:phpbb:2.0.6:*:*:*:*:*:*:*
    • cpe:2.3:a:phpbb_group:phpbb:2.0_beta1:*:*:*:*:*:*:*
    • cpe:2.3:a:phpbb_group:phpbb:2.0_rc1:*:*:*:*:*:*:*
    • cpe:2.3:a:phpbb_group:phpbb:2.0_rc2:*:*:*:*:*:*:*
    • cpe:2.3:a:phpbb_group:phpbb:2.0_rc3:*:*:*:*:*:*:*
    • cpe:2.3:a:phpbb_group:phpbb:2.0_rc4:*:*:*:*:*:*:*
    • (no CPE)range: <=2.0.6

Patches

Vulnerability mechanics

Root cause

"Missing input sanitization in the loop that builds the $sql_in variable allows SQL injection via the members array."

Attack vector

An attacker who is already a group moderator sends a crafted `$HTTP_POST_VARS['members']` (or `pending_members`) array to `groupcp.php`. The loop concatenates each array element into `$sql_in` without any sanitization [ref_id=1]. By injecting a value such as `1) or 1=1/*`, the attacker causes the DELETE query to remove all users from the target group, or the moderator-check query to return unintended results, enabling unauthorized group management actions [ref_id=1].

Affected code

The vulnerability resides in `groupcp.php` of phpBB 2.0.6 and earlier. The `$sql_in` variable is built by concatenating user-supplied array values (`$members`) without sanitization, then used directly in SQL queries [ref_id=1]. The two critical queries are a SELECT on `AUTH_ACCESS_TABLE` and `USER_GROUP_TABLE` to verify moderator status, and a DELETE on `USER_GROUP_TABLE` that removes group members [ref_id=1].

What the fix does

The advisory recommends wrapping each `$members[$i]` value with `intval()` in the loop that builds `$sql_in` [ref_id=1]. Specifically, replace `$sql_in .= ( ( $sql_in != '' ) ? ', ' : '' ) . $members[$i];` with `$sql_in .= ( ( $sql_in != '' ) ? ', ' : '' ) . intval($members[$i]);` [ref_id=1]. This forces every array element to an integer, eliminating the possibility of injecting arbitrary SQL strings into the IN clause.

Preconditions

  • authAttacker must be a moderator of a group in the phpBB forum
  • configThe application must be phpBB 2.0.6 or earlier
  • networkAttacker must be able to send HTTP POST requests to groupcp.php

Generated on May 26, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

4

News mentions

0

No linked articles in our index yet.