VYPR
← All advisories
Unrated severityNVD Advisory· Published Nov 1, 2005· Updated Jun 16, 2026

CVE-2005-3417

CVE-2005-3417

Description

phpBB 2.0.17 and earlier, when the register_long_arrays directive is disabled, allows remote attackers to modify global variables and bypass security mechanisms because PHP does not define the associated HTTP_* variables.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected products

28
  • PhpBB/phpBB28 versions
    cpe:2.3:a:phpbb_group:phpbb:2.0.0:*:*:*:*:*:*:*+ 27 more
    • cpe:2.3:a:phpbb_group:phpbb:2.0.0:*:*:*:*:*:*:*
    • cpe:2.3:a:phpbb_group:phpbb:2.0.1:*:*:*:*:*:*:*
    • cpe:2.3:a:phpbb_group:phpbb:2.0.10:*:*:*:*:*:*:*
    • cpe:2.3:a:phpbb_group:phpbb:2.0.11:*:*:*:*:*:*:*
    • cpe:2.3:a:phpbb_group:phpbb:2.0.12:*:*:*:*:*:*:*
    • cpe:2.3:a:phpbb_group:phpbb:2.0.13:*:*:*:*:*:*:*
    • cpe:2.3:a:phpbb_group:phpbb:2.0.14:*:*:*:*:*:*:*
    • cpe:2.3:a:phpbb_group:phpbb:2.0.15:*:*:*:*:*:*:*
    • cpe:2.3:a:phpbb_group:phpbb:2.0.16:*:*:*:*:*:*:*
    • cpe:2.3:a:phpbb_group:phpbb:2.0.17:*:*:*:*:*:*:*
    • cpe:2.3:a:phpbb_group:phpbb:2.0.2:*:*:*:*:*:*:*
    • cpe:2.3:a:phpbb_group:phpbb:2.0.3:*:*:*:*:*:*:*
    • cpe:2.3:a:phpbb_group:phpbb:2.0.4:*:*:*:*:*:*:*
    • cpe:2.3:a:phpbb_group:phpbb:2.0.5:*:*:*:*:*:*:*
    • cpe:2.3:a:phpbb_group:phpbb:2.0.6:*:*:*:*:*:*:*
    • cpe:2.3:a:phpbb_group:phpbb:2.0.6c:*:*:*:*:*:*:*
    • cpe:2.3:a:phpbb_group:phpbb:2.0.6d:*:*:*:*:*:*:*
    • cpe:2.3:a:phpbb_group:phpbb:2.0.7:*:*:*:*:*:*:*
    • cpe:2.3:a:phpbb_group:phpbb:2.0.7a:*:*:*:*:*:*:*
    • cpe:2.3:a:phpbb_group:phpbb:2.0.8:*:*:*:*:*:*:*
    • cpe:2.3:a:phpbb_group:phpbb:2.0.8a:*:*:*:*:*:*:*
    • cpe:2.3:a:phpbb_group:phpbb:2.0.9:*:*:*:*:*:*:*
    • cpe:2.3:a:phpbb_group:phpbb:2.0_beta1:*:*:*:*:*:*:*
    • cpe:2.3:a:phpbb_group:phpbb:2.0_rc1:*:*:*:*:*:*:*
    • cpe:2.3:a:phpbb_group:phpbb:2.0_rc2:*:*:*:*:*:*:*
    • cpe:2.3:a:phpbb_group:phpbb:2.0_rc3:*:*:*:*:*:*:*
    • cpe:2.3:a:phpbb_group:phpbb:2.0_rc4:*:*:*:*:*:*:*
    • (no CPE)range: <=2.0.17

Patches

Vulnerability mechanics

Root cause

"When register_long_arrays is disabled, PHP does not define the HTTP_* superglobal variables, allowing an attacker to supply them as ordinary request parameters and bypass the global variable deregistration code."

Attack vector

An attacker can exploit this by sending a request that sets the `HTTP_*` variables (e.g., `HTTP_GET_VARS`, `HTTP_POST_VARS`) as ordinary GET/POST/COOKIE parameters. Because `register_long_arrays` is disabled, PHP does not define these variables, so the attacker's supplied values are used in the `array_merge()` call, causing the deregistration loop to either fail or process attacker-controlled data. This bypasses the global variable cleanup, enabling further attacks such as XSS, SQL injection, or remote code execution through other uninitialized variables in phpBB [ref_id=1].

Affected code

The vulnerability lies in phpBB's global variable deregistration code, which uses `array_merge()` on the `HTTP_*` superglobal arrays (e.g., `$HTTP_GET_VARS`, `$HTTP_POST_VARS`). When `register_long_arrays` is disabled in PHP, these `HTTP_*` variables are no longer automatically populated by PHP, allowing an attacker to supply them as ordinary request parameters and bypass the protection entirely [ref_id=1].

What the fix does

The advisory recommends upgrading to the latest phpBB release, which addresses the bypass by properly handling the case where `register_long_arrays` is disabled [ref_id=1]. No patch diff is provided in the bundle, but the vendor released an updated version on 30 October 2005. The fix likely involves checking for the existence of the `HTTP_*` variables or using the newer `$_*` superglobals instead, ensuring the deregistration code cannot be circumvented by supplying these variables as ordinary request parameters.

Preconditions

  • configPHP's register_long_arrays directive must be disabled (the default in PHP 5).
  • networkThe attacker must be able to send HTTP requests to the phpBB application.
  • authNo authentication is required; the bypass works on any publicly accessible page that includes the deregistration code.

Generated on May 26, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

9

News mentions

0

No linked articles in our index yet.