CVE-2002-1707 in phpBB
Summary
by MITRE
install.php in phpBB 2.0 through 2.0.1, when "allow_url_fopen" and "register_globals" variables are set to "on", allows remote attackers to execute arbitrary PHP code by modifying the phpbb_root_dir parameter to reference a URL on a remote web server that contains the code.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 09/02/2025
The vulnerability identified as CVE-2002-1707 represents a critical remote code execution flaw in phpBB versions 2.0 through 2.0.1 that exploits specific PHP configuration settings to enable attackers to execute arbitrary code on affected systems. This vulnerability resides within the install.php script, which serves as the installation utility for the phpBB bulletin board system. The flaw demonstrates the dangerous combination of insecure parameter handling and permissive PHP configuration settings that collectively create a pathway for remote code injection attacks.
The technical mechanism of this vulnerability stems from the improper validation of the phpbb_root_dir parameter within the install.php script. When both allow_url_fopen and register_globals PHP directives are enabled, the application fails to properly sanitize user input before using it in file operations. This configuration allows the phpbb_root_dir parameter to be manipulated into referencing a remote URL instead of a local directory path. The allow_url_fopen setting permits PHP to open remote files via URLs, while register_globals automatically creates global variables from request data, creating a dangerous combination that enables attackers to inject malicious code through parameter manipulation.
The operational impact of this vulnerability extends beyond simple code execution to encompass full system compromise potential. Attackers can leverage this flaw to upload and execute arbitrary PHP code on the target server, potentially gaining complete control over the web application environment. This capability allows for data exfiltration, system enumeration, privilege escalation, and deployment of backdoors or additional malware. The vulnerability affects not only the phpBB application itself but also the underlying server infrastructure, as successful exploitation can lead to broader system compromise and persistent access for attackers. The risk is particularly severe in environments where the web server has elevated privileges or where the application is hosted on shared servers with multiple tenants.
Security professionals should address this vulnerability through immediate patching of affected phpBB installations to version 2.0.2 or later, which contains the necessary fixes for this issue. Additionally, administrators must disable the vulnerable PHP configuration settings by setting allow_url_fopen and register_globals to "off" in the php.ini configuration file, as these settings represent fundamental security risks beyond this specific vulnerability. The mitigation strategy should also include implementing proper input validation and parameter sanitization within the application code, along with network-level protections such as firewalls and intrusion detection systems to monitor for suspicious URL patterns and code execution attempts. This vulnerability aligns with CWE-94, which describes the weakness of "Improper Control of Generation of Code ('Code Injection')" and corresponds to ATT&CK technique T1190, "Exploit Public-Facing Application," highlighting the importance of securing web applications against remote code execution attacks through proper configuration management and input validation practices.