VYPR
← All advisories
Unrated severityNVD Advisory· Published Nov 23, 2004· Updated Apr 16, 2026

CVE-2004-0339

CVE-2004-0339

Description

phpBB 2.0.6c and earlier suffer from an XSS flaw in ViewTopic.php via the unvalidated 'postorder' parameter, enabling cookie theft.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

phpBB 2.0.6c and earlier suffer from an XSS flaw in ViewTopic.php via the unvalidated 'postorder' parameter, enabling cookie theft.

## Vulnerability phpBB versions possibly 2.0.6c and earlier contain a cross-site scripting (XSS) vulnerability in ViewTopic.php. The postorder parameter is not properly sanitized, allowing injection of arbitrary HTML or script into the generated page. The vulnerable code path is reachable whenever a topic is viewed with any value for postorder [1].

Exploitation

An attacker can inject malicious code by crafting a URL containing a postorder parameter with script payloads, such as %22%3E%3C%73%63%72%69%70%74%3E%61%6C%65%72%74%28%64%6F%63%75%6D%65%6E%74%2E%63%6F%6F%6B%69%65%29%3C%2F%73%63%72%69%70%74%3E%3C (unescaping to "><script>alert(document.cookie)</script><) [1]. When a victim clicks the crafted link, the injected script executes in the context of the phpBB site. No authentication or special privileges are required; the attacker only needs to lure the victim to the malicious URL.

Impact

Successful exploitation allows remote attackers to execute arbitrary HTML or script in the context of the victim's browser, potentially leading to session cookie theft or other client-side attacks. The attacker can impersonate the victim, read sensitive information displayed on the forum, or perform actions on behalf of the user [1]. The compromise occurs entirely in the browser and can affect any user who visits the malicious link.

Mitigation

The official fix for CVE-2004-0339 was included in phpBB 2.0.7, released in March 2004. The vulnerability is addressed by properly sanitizing the postorder parameter. Users should upgrade to phpBB 2.0.7 or later [1]. If upgrading is not possible, applying a manual patch to validate the postorder parameter against a whitelist of allowed values (e.g., "asc", "desc") is a workaround.

References
  1. 'New phpBB ViewTopic.php Cross Site Scripting Vulnerability'

AI Insight generated on May 24, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

10
  • PhpBB/phpBB10 versions
    cpe:2.3:a:phpbb_group:phpbb:2.0:*:*:*:*:*:*:*+ 9 more
    • cpe:2.3:a:phpbb_group:phpbb:2.0:*:*:*:*:*:*:*
    • cpe:2.3:a:phpbb_group:phpbb:2.0.1:*:*:*:*:*:*:*
    • cpe:2.3:a:phpbb_group:phpbb:2.0.2:*:*:*:*:*:*:*
    • cpe:2.3:a:phpbb_group:phpbb:2.0.3:*:*:*:*:*:*:*
    • cpe:2.3:a:phpbb_group:phpbb:2.0.4:*:*:*:*:*:*:*
    • cpe:2.3:a:phpbb_group:phpbb:2.0.5:*:*:*:*:*:*:*
    • cpe:2.3:a:phpbb_group:phpbb:2.0.6:*:*:*:*:*:*:*
    • cpe:2.3:a:phpbb_group:phpbb:2.0.6c:*:*:*:*:*:*:*
    • cpe:2.3:a:phpbb_group:phpbb:2.0_rc4:*:*:*:*:*:*:*
    • (no CPE)range: <=2.0.6c

Patches

0

No patches discovered yet.

Vulnerability mechanics

Root cause

"Missing input sanitization of the 'postorder' parameter in ViewTopic.php allows reflected cross-site scripting."

Attack vector

An attacker crafts a URL to a legitimate phpBB topic (e.g., `viewtopic.php?t=123456`) and appends a malicious `postorder` parameter containing HTML or JavaScript. Because phpBB does not sanitize the `postorder` value before reflecting it in the page's HTML (inside an `

Affected code

The vulnerability is in `ViewTopic.php` of phpBB, specifically in how the `postorder` parameter is handled. The advisory states that "phpBB doesn't filter out illegal characters from 'postorder'", allowing the injection of arbitrary HTML or script code into the page output [ref_id=1].

What the fix does

No patch is included in the bundle. The advisory does not provide remediation code; it only identifies that phpBB fails to filter illegal characters from the `postorder` parameter [ref_id=1]. A proper fix would involve validating or encoding the `postorder` input before reflecting it in the HTML output, preventing injection of arbitrary script or HTML.

Preconditions

  • configThe target must be running a vulnerable version of phpBB (possibly 2.0.6c and earlier).
  • inputThe attacker must be able to craft a URL with a malicious postorder parameter and deliver it to a victim.
  • authThe victim must be logged into phpBB (for cookie theft) and click the crafted link.
  • networkNo special network position is required; the attack works over HTTP/HTTPS.

Reproduction

The advisory provides a proof-of-concept exploit URL: `http://site/phpBB/viewtopic.php?t=123456&postorder=%22%3E%3C%73%63%72%69%70%74%3E%61%6C%65%72%74%28%64%6F%63%75%6D%65%6E%74%2E%63%6F%6F%6B%69%65%29%3C%2F%73%63%72%69%70%74%3E%3C` which decodes to `">

Generated on May 26, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

3

News mentions

0

No linked articles in our index yet.