CVE-2005-3310
Description
Interpretation conflict in phpBB 2.0.17, with remote avatars and avatar uploading enabled, allows remote authenticated users to inject arbitrary web script or HTML via an HTML file with a GIF or JPEG file extension, which causes the HTML to be executed by a victim who views the file in Internet Explorer, which renders malformed image types as HTML, enabling cross-site scripting (XSS) attacks. NOTE: it could be argued that this vulnerability is due to a design flaw in Internet Explorer (CVE-2005-3312) and the proper fix should be in that browser; if so, then this should not be treated as a vulnerability in phpBB.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
2Patches
Vulnerability mechanics
Root cause
"phpBB's avatar upload verification only checks the file header for a valid image signature but does not validate that the file extension matches the actual content type, allowing an HTML file with a .JPG extension to be uploaded."
Attack vector
An authenticated attacker crafts an HTML file containing malicious script (e.g., JavaScript to steal cookies), prepends a valid GIF header (47 49 46 38 39 61 01 00 01 00) to pass phpBB's image verification, and renames the file with a .JPG extension. The attacker uploads this file as an avatar via the "Upload Avatar from URL" feature. When a victim using Internet Explorer navigates directly to the uploaded file's URL (e.g., http://phpbbforum.com/images/avatars/12345.jpg), IE ignores the .JPG extension and the GIF header, rendering the embedded HTML and executing the script in the forum's security zone, enabling cookie theft or other XSS attacks [ref_id=1].
Affected code
The vulnerability lies in phpBB 2.0.17's avatar upload functionality, specifically the "Upload Avatar from URL" feature. The advisory does not name specific files or functions, but the affected code path is the avatar upload verification routine that checks the file header but does not validate that the file extension matches the actual content type [ref_id=1].
What the fix does
The advisory states that phpBB acknowledged the report and indicated a patch would be available within a few days, integrated into version 2.0.18 [ref_id=1]. No patch diff is provided in the bundle. The recommended remediation for administrators is to disable the "Upload Avatar from URL" option until a vendor patch is released [ref_id=1]. A proper fix would require phpBB to validate that the file extension matches the actual content type, not just the file header, preventing HTML files with misleading extensions from being accepted as avatars.
Preconditions
- authAttacker must be an authenticated user of the phpBB forum
- configphpBB must have remote avatars and avatar uploading enabled
- inputVictim must use Internet Explorer (any version)
- networkAttacker must have access to an HTTP server to host the crafted file for remote URL upload
Reproduction
1. Create a file with a valid GIF header (hex: 47 49 46 38 39 61 01 00 01 00) followed by HTML/JavaScript payload, e.g., `
Generated on May 26, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
7- secunia.com/advisories/17295/nvdPatchVendor Advisory
- secunia.com/advisories/18098nvdPatchVendor Advisory
- www.debian.org/security/2005/dsa-925nvdPatchVendor Advisory
- archives.neohapsis.com/archives/fulldisclosure/2005-10/0479.htmlnvdExploit
- marc.infonvd
- www.securityfocus.com/bid/15170nvd
- exchange.xforce.ibmcloud.com/vulnerabilities/22837nvd
News mentions
0No linked articles in our index yet.