VYPR
← All advisories
Unrated severityNVD Advisory· Published Dec 31, 2004· Updated Apr 16, 2026

CVE-2004-2110

CVE-2004-2110

Description

SQL injection in Phorum before 3.4.6 via register.php hide_email parameter allows remote attackers to execute arbitrary SQL commands.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

SQL injection in Phorum before 3.4.6 via register.php hide_email parameter allows remote attackers to execute arbitrary SQL commands.

Vulnerability

A SQL injection vulnerability exists in register.php of Phorum versions prior to 3.4.6. The hide_email parameter is not sanitized before being used in database queries, allowing an attacker to inject arbitrary SQL commands. This vulnerability was reported in a public advisory [1] and the vendor released Phorum 3.4.6 to address the issue.

Exploitation

An attacker can exploit this vulnerability by sending a crafted HTTP POST request to register.php with a malicious value in the hide_email parameter. No authentication is required, as registration functionality is accessible to unauthenticated users. The attack can be performed remotely over the network.

Impact

Successful exploitation allows an attacker to execute arbitrary SQL statements against the backend database. This can lead to extraction, modification, or deletion of sensitive data, including user credentials and forum content. The attacker gains the ability to compromise the confidentiality, integrity, and availability of the application's data.

Mitigation

The vendor released Phorum version 3.4.6 as a fix for this vulnerability [1]. All users should upgrade to Phorum 3.4.6 or later. No workarounds have been documented for this specific issue; upgrading is the recommended mitigation.

References
  1. 'Multiple Vulnerabilities in Phorum 3.4.5'

AI Insight generated on May 24, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2
  • Phorum/Phorum2 versions
    cpe:2.3:a:phorum:phorum:*:*:*:*:*:*:*:*+ 1 more
    • cpe:2.3:a:phorum:phorum:*:*:*:*:*:*:*:*range: <=3.4.5
    • (no CPE)range: <3.4.6

Patches

0

No patches discovered yet.

Vulnerability mechanics

Root cause

"Missing input sanitization in the `hide_email` parameter of `register.php` allows SQL injection."

Attack vector

An attacker sends a crafted HTTP/POST request to `register.php` with a malicious value in the `hide_email` parameter [ref_id=1]. The parameter is not sanitized before being used in a SQL query, allowing the attacker to inject arbitrary SQL commands [ref_id=1]. The advisory notes that due to the location of the injected variable, it is "increasingly hard to exploit this vulnerability to obtain any sort of privilege escalation" [ref_id=1].

Affected code

The vulnerability resides in the script `register.php` in the field `hide_email` [ref_id=1]. No patch diff is available in the bundle, but the advisory states that the vulnerable code "appears to not exist in Phorum 5.0.2alpha" [ref_id=1].

What the fix does

The advisory states that Phorum released version 3.4.6 as a fix, and that the vulnerable code "appears to not exist in Phorum 5.0.2alpha" [ref_id=1]. No patch diff is provided in the bundle, so the exact code change is unknown. The remediation guidance is to upgrade to Phorum 3.4.6 or later [ref_id=1].

Preconditions

  • networkThe attacker must be able to send HTTP/POST requests to the Phorum server.
  • configThe target must be running Phorum version 3.4.5 or earlier.
  • inputThe `hide_email` parameter is accepted by `register.php` without sanitization.

Generated on May 26, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

2

News mentions

0

No linked articles in our index yet.