VYPR
← All advisories
Unrated severityNVD Advisory· Published Apr 19, 2004· Updated Apr 16, 2026

CVE-2004-1950

CVE-2004-1950

Description

phpBB 2.0.8a and earlier trusts X-Forwarded-For header, allowing remote attackers to spoof IP addresses and bypass bans.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

phpBB 2.0.8a and earlier trusts X-Forwarded-For header, allowing remote attackers to spoof IP addresses and bypass bans.

Vulnerability

In phpBB 2.0.8a and earlier, the common.php script uses the HTTP_X_FORWARDED_FOR header to determine the user's IP address without proper validation. The vulnerable code (lines 126-146) blindly trusts the first public IP from the header, enabling an attacker to spoof their IP [1][2].

Exploitation

An attacker can send an HTTP request with a crafted X-Forwarded-For header containing an arbitrary IP address. phpBB will then log that spoofed IP for the user's session. No authentication or special privileges are required; the attacker only needs to be able to send HTTP requests to the server [1].

Impact

By spoofing their IP, an attacker can bypass IP-based bans or appear as another user, potentially enabling further abuse. This does not directly lead to remote code execution, but it undermines IP-based security controls and forensic logging [1].

Mitigation

The recommended fix is to remove the vulnerable code entirely. A patch is provided in [2] that deletes the X-Forwarded-For handling logic, falling back to REMOTE_ADDR. phpBB later released version 2.0.9, which addresses this issue [1][2].

References
  1. 'phpBB 2.0.8a and lower - IP spoofing vulnerability'
  2. 'Re: phpBB 2.0.8a and lower - IP spoofing vulnerability'

AI Insight generated on May 24, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

14
  • PhpBB/phpBB14 versions
    cpe:2.3:a:phpbb_group:phpbb:2.0.0:*:*:*:*:*:*:*+ 13 more
    • cpe:2.3:a:phpbb_group:phpbb:2.0.0:*:*:*:*:*:*:*
    • cpe:2.3:a:phpbb_group:phpbb:2.0.1:*:*:*:*:*:*:*
    • cpe:2.3:a:phpbb_group:phpbb:2.0.2:*:*:*:*:*:*:*
    • cpe:2.3:a:phpbb_group:phpbb:2.0.3:*:*:*:*:*:*:*
    • cpe:2.3:a:phpbb_group:phpbb:2.0.4:*:*:*:*:*:*:*
    • cpe:2.3:a:phpbb_group:phpbb:2.0.5:*:*:*:*:*:*:*
    • cpe:2.3:a:phpbb_group:phpbb:2.0.6:*:*:*:*:*:*:*
    • cpe:2.3:a:phpbb_group:phpbb:2.0.6c:*:*:*:*:*:*:*
    • cpe:2.3:a:phpbb_group:phpbb:2.0.6d:*:*:*:*:*:*:*
    • cpe:2.3:a:phpbb_group:phpbb:2.0.7:*:*:*:*:*:*:*
    • cpe:2.3:a:phpbb_group:phpbb:2.0.7a:*:*:*:*:*:*:*
    • cpe:2.3:a:phpbb_group:phpbb:2.0.8:*:*:*:*:*:*:*
    • cpe:2.3:a:phpbb_group:phpbb:2.0.8a:*:*:*:*:*:*:*
    • (no CPE)range: <=2.0.8a

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

5

News mentions

0

No linked articles in our index yet.