CVE-2004-2054
Description
CRLF injection in PhpBB 2.0.4/2.0.9 allows remote unauthenticated attackers to perform HTTP Response Splitting via the mode or redirect parameters.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
CRLF injection in PhpBB 2.0.4/2.0.9 allows remote unauthenticated attackers to perform HTTP Response Splitting via the mode or redirect parameters.
Vulnerability
The PhpBB versions 2.0.4 and 2.0.9 contain a CRLF injection vulnerability that enables HTTP Response Splitting attacks [2]. The flaw exists in two scripts: privmsg.php (via the mode parameter) and login.php (via the redirect parameter). The attacker can inject arbitrary CRLF sequences into HTTP response headers, allowing manipulation of the response content sent to the victim's browser. No authentication is required [2].
Exploitation
An attacker can exploit this vulnerability by crafting a malicious URL containing CRLF sequences in the mode or redirect parameters. The attack can be performed remotely without any prior authentication [2]. By injecting new headers and arbitrary content, the attacker can trigger HTTP Response Splitting, enabling further attacks such as web cache poisoning, cross-user defacement, or cross-site scripting [2].
Impact
Successful exploitation allows the attacker to modify the HTTP response body and headers delivered to the client. This can lead to web cache poisoning, hijacking of pages containing sensitive user information, cross-site scripting attacks, and session theft [2]. The attack compromises the integrity of the content served to users and can result in credential stealing or other client-side attacks.
Mitigation
The vendor released PhpBB version 2.0.10 to address this vulnerability [1]. Users should upgrade to the latest available version immediately. If upgrading is not possible, administrators should consider deploying a web application firewall or input validation mechanism to filter CRLF sequences in the vulnerable parameters.
AI Insight generated on May 24, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
20cpe:2.3:a:phpbb_group:phpbb:2.0.0:*:*:*:*:*:*:*+ 19 more
- cpe:2.3:a:phpbb_group:phpbb:2.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:phpbb_group:phpbb:2.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:phpbb_group:phpbb:2.0.2:*:*:*:*:*:*:*
- cpe:2.3:a:phpbb_group:phpbb:2.0.3:*:*:*:*:*:*:*
- cpe:2.3:a:phpbb_group:phpbb:2.0.4:*:*:*:*:*:*:*
- cpe:2.3:a:phpbb_group:phpbb:2.0.5:*:*:*:*:*:*:*
- cpe:2.3:a:phpbb_group:phpbb:2.0.6:*:*:*:*:*:*:*
- cpe:2.3:a:phpbb_group:phpbb:2.0.6c:*:*:*:*:*:*:*
- cpe:2.3:a:phpbb_group:phpbb:2.0.6d:*:*:*:*:*:*:*
- cpe:2.3:a:phpbb_group:phpbb:2.0.7:*:*:*:*:*:*:*
- cpe:2.3:a:phpbb_group:phpbb:2.0.7a:*:*:*:*:*:*:*
- cpe:2.3:a:phpbb_group:phpbb:2.0.8:*:*:*:*:*:*:*
- cpe:2.3:a:phpbb_group:phpbb:2.0.8a:*:*:*:*:*:*:*
- cpe:2.3:a:phpbb_group:phpbb:2.0.9:*:*:*:*:*:*:*
- cpe:2.3:a:phpbb_group:phpbb:2.0_beta1:*:*:*:*:*:*:*
- cpe:2.3:a:phpbb_group:phpbb:2.0_rc1:*:*:*:*:*:*:*
- cpe:2.3:a:phpbb_group:phpbb:2.0_rc2:*:*:*:*:*:*:*
- cpe:2.3:a:phpbb_group:phpbb:2.0_rc3:*:*:*:*:*:*:*
- cpe:2.3:a:phpbb_group:phpbb:2.0_rc4:*:*:*:*:*:*:*
- (no CPE)range: <3.0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4News mentions
0No linked articles in our index yet.