VYPR
← All advisories
Unrated severityNVD Advisory· Published Nov 1, 2005· Updated Jun 16, 2026

CVE-2005-3419

CVE-2005-3419

Description

SQL injection vulnerability in usercp_register.php in phpBB 2.0.17 allows remote attackers to execute arbitrary SQL commands via the signature_bbcode_uid parameter, which is not properly initialized.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected products

28
  • PhpBB/phpBB28 versions
    cpe:2.3:a:phpbb_group:phpbb:2.0.0:*:*:*:*:*:*:*+ 27 more
    • cpe:2.3:a:phpbb_group:phpbb:2.0.0:*:*:*:*:*:*:*
    • cpe:2.3:a:phpbb_group:phpbb:2.0.1:*:*:*:*:*:*:*
    • cpe:2.3:a:phpbb_group:phpbb:2.0.10:*:*:*:*:*:*:*
    • cpe:2.3:a:phpbb_group:phpbb:2.0.11:*:*:*:*:*:*:*
    • cpe:2.3:a:phpbb_group:phpbb:2.0.12:*:*:*:*:*:*:*
    • cpe:2.3:a:phpbb_group:phpbb:2.0.13:*:*:*:*:*:*:*
    • cpe:2.3:a:phpbb_group:phpbb:2.0.14:*:*:*:*:*:*:*
    • cpe:2.3:a:phpbb_group:phpbb:2.0.15:*:*:*:*:*:*:*
    • cpe:2.3:a:phpbb_group:phpbb:2.0.16:*:*:*:*:*:*:*
    • cpe:2.3:a:phpbb_group:phpbb:2.0.17:*:*:*:*:*:*:*
    • cpe:2.3:a:phpbb_group:phpbb:2.0.2:*:*:*:*:*:*:*
    • cpe:2.3:a:phpbb_group:phpbb:2.0.3:*:*:*:*:*:*:*
    • cpe:2.3:a:phpbb_group:phpbb:2.0.4:*:*:*:*:*:*:*
    • cpe:2.3:a:phpbb_group:phpbb:2.0.5:*:*:*:*:*:*:*
    • cpe:2.3:a:phpbb_group:phpbb:2.0.6:*:*:*:*:*:*:*
    • cpe:2.3:a:phpbb_group:phpbb:2.0.6c:*:*:*:*:*:*:*
    • cpe:2.3:a:phpbb_group:phpbb:2.0.6d:*:*:*:*:*:*:*
    • cpe:2.3:a:phpbb_group:phpbb:2.0.7:*:*:*:*:*:*:*
    • cpe:2.3:a:phpbb_group:phpbb:2.0.7a:*:*:*:*:*:*:*
    • cpe:2.3:a:phpbb_group:phpbb:2.0.8:*:*:*:*:*:*:*
    • cpe:2.3:a:phpbb_group:phpbb:2.0.8a:*:*:*:*:*:*:*
    • cpe:2.3:a:phpbb_group:phpbb:2.0.9:*:*:*:*:*:*:*
    • cpe:2.3:a:phpbb_group:phpbb:2.0_beta1:*:*:*:*:*:*:*
    • cpe:2.3:a:phpbb_group:phpbb:2.0_rc1:*:*:*:*:*:*:*
    • cpe:2.3:a:phpbb_group:phpbb:2.0_rc2:*:*:*:*:*:*:*
    • cpe:2.3:a:phpbb_group:phpbb:2.0_rc3:*:*:*:*:*:*:*
    • cpe:2.3:a:phpbb_group:phpbb:2.0_rc4:*:*:*:*:*:*:*
    • (no CPE)range: =2.0.17

Patches

Vulnerability mechanics

Root cause

"Missing initialization of the `signature_bbcode_uid` variable in `usercp_register.php` allows SQL injection when register_globals is enabled."

Attack vector

An attacker sends a crafted HTTP request (GET, POST, or COOKIE) that sets the `signature_bbcode_uid` parameter to a malicious SQL payload [ref_id=1]. This is possible because phpBB's protection code that unsets global variables can be bypassed — for example, by setting `HTTP_SESSION_VARS` to a non-array value (causing `array_merge()` to fail and leaving `$input` empty) or by using PHP5's `GLOBALS[foobar]` syntax [ref_id=1]. When `magic_quotes_gpc` is off, the uninitialized `signature_bbcode_uid` variable is used directly in SQL queries, allowing arbitrary SQL commands to be executed against the user table [ref_id=1].

Affected code

The vulnerability resides in `usercp_register.php` where the variable `signature_bbcode_uid` is not properly initialized [ref_id=1]. This allows an attacker to control the value of this variable when `register_globals` is enabled, bypassing phpBB's global variable deregistration mechanism [ref_id=1].

What the fix does

The advisory recommends upgrading to the new phpBB release, which properly initializes the `signature_bbcode_uid` variable in `usercp_register.php` [ref_id=1]. No patch diff is provided in the bundle, but the vendor's fix ensures that variables like `signature_bbcode_uid` are initialized before use, preventing attackers from injecting arbitrary values via register_globals bypass techniques [ref_id=1].

Preconditions

  • configPHP register_globals must be enabled
  • configmagic_quotes_gpc must be turned off for SQL injection path
  • networkAttacker must be able to send HTTP requests to the phpBB application
  • inputThe phpBB global variable deregistration protection must be bypassed (e.g., by setting HTTP_SESSION_VARS to a non-array value)

Generated on May 26, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

10

News mentions

0

No linked articles in our index yet.