VYPR
← All advisories
Unrated severityNVD Advisory· Published Nov 1, 2005· Updated Jun 16, 2026

CVE-2005-3420

CVE-2005-3420

Description

usercp_register.php in phpBB 2.0.17 allows remote attackers to modify regular expressions and execute PHP code via the signature_bbcode_uid parameter, as demonstrated by injecting an "e" modifier into a preg_replace statement.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected products

28
  • PhpBB/phpBB28 versions
    cpe:2.3:a:phpbb_group:phpbb:2.0.0:*:*:*:*:*:*:*+ 27 more
    • cpe:2.3:a:phpbb_group:phpbb:2.0.0:*:*:*:*:*:*:*
    • cpe:2.3:a:phpbb_group:phpbb:2.0.1:*:*:*:*:*:*:*
    • cpe:2.3:a:phpbb_group:phpbb:2.0.10:*:*:*:*:*:*:*
    • cpe:2.3:a:phpbb_group:phpbb:2.0.11:*:*:*:*:*:*:*
    • cpe:2.3:a:phpbb_group:phpbb:2.0.12:*:*:*:*:*:*:*
    • cpe:2.3:a:phpbb_group:phpbb:2.0.13:*:*:*:*:*:*:*
    • cpe:2.3:a:phpbb_group:phpbb:2.0.14:*:*:*:*:*:*:*
    • cpe:2.3:a:phpbb_group:phpbb:2.0.15:*:*:*:*:*:*:*
    • cpe:2.3:a:phpbb_group:phpbb:2.0.16:*:*:*:*:*:*:*
    • cpe:2.3:a:phpbb_group:phpbb:2.0.17:*:*:*:*:*:*:*
    • cpe:2.3:a:phpbb_group:phpbb:2.0.2:*:*:*:*:*:*:*
    • cpe:2.3:a:phpbb_group:phpbb:2.0.3:*:*:*:*:*:*:*
    • cpe:2.3:a:phpbb_group:phpbb:2.0.4:*:*:*:*:*:*:*
    • cpe:2.3:a:phpbb_group:phpbb:2.0.5:*:*:*:*:*:*:*
    • cpe:2.3:a:phpbb_group:phpbb:2.0.6:*:*:*:*:*:*:*
    • cpe:2.3:a:phpbb_group:phpbb:2.0.6c:*:*:*:*:*:*:*
    • cpe:2.3:a:phpbb_group:phpbb:2.0.6d:*:*:*:*:*:*:*
    • cpe:2.3:a:phpbb_group:phpbb:2.0.7:*:*:*:*:*:*:*
    • cpe:2.3:a:phpbb_group:phpbb:2.0.7a:*:*:*:*:*:*:*
    • cpe:2.3:a:phpbb_group:phpbb:2.0.8:*:*:*:*:*:*:*
    • cpe:2.3:a:phpbb_group:phpbb:2.0.8a:*:*:*:*:*:*:*
    • cpe:2.3:a:phpbb_group:phpbb:2.0.9:*:*:*:*:*:*:*
    • cpe:2.3:a:phpbb_group:phpbb:2.0_beta1:*:*:*:*:*:*:*
    • cpe:2.3:a:phpbb_group:phpbb:2.0_rc1:*:*:*:*:*:*:*
    • cpe:2.3:a:phpbb_group:phpbb:2.0_rc2:*:*:*:*:*:*:*
    • cpe:2.3:a:phpbb_group:phpbb:2.0_rc3:*:*:*:*:*:*:*
    • cpe:2.3:a:phpbb_group:phpbb:2.0_rc4:*:*:*:*:*:*:*
    • (no CPE)range: = 2.0.17

Patches

Vulnerability mechanics

Root cause

"Uninitialised variable `signature_bbcode_uid` in `usercp_register.php` allows an attacker to inject an `e` modifier into a `preg_replace()` pattern, causing PHP code evaluation."

Attack vector

An attacker sends a crafted HTTP request containing a `signature_bbcode_uid` parameter (via GET, POST, or COOKIE) while register_globals is enabled. Because the variable is uninitialised in `usercp_register.php`, the attacker-supplied value flows into a `preg_replace()` call. By injecting an `e` modifier into the first argument of `preg_replace()`, the second argument (which is the user-supplied signature) is evaluated as PHP code, allowing arbitrary code execution [ref_id=1].

Affected code

The vulnerable code resides in `usercp_register.php` of phpBB 2.0.17. The variable `signature_bbcode_uid` is not properly initialised before use, allowing an attacker to control its value via register_globals [ref_id=1].

What the fix does

The advisory recommends upgrading to the new phpBB release that fixes the uninitialised variable problems [ref_id=1]. No patch diff is provided in the bundle, but the vendor's fix would properly initialise `signature_bbcode_uid` before use, preventing an attacker from controlling the `preg_replace()` pattern and injecting the `e` modifier that leads to code execution.

Preconditions

  • configPHP register_globals must be enabled on the server
  • networkThe attacker must be able to supply HTTP GET, POST, or COOKIE parameters to usercp_register.php
  • authNo authentication is required; the vulnerability is reachable by any remote user

Generated on May 26, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

10

News mentions

0

No linked articles in our index yet.