cbcvebase.
CVE-2004-1315
published 2004-11-12

CVE-2004-1315: viewtopic.php in phpBB 2.x before 2.0.11 improperly URL decodes the highlight parameter when extracting words and phrases to highlight, which allows remote…

PriorityP274high7.5CVSS 2.0
AVNACLAuNCPIPAP
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
71.90%
99.3th percentile
viewtopic.php in phpBB 2.x before 2.0.11 improperly URL decodes the highlight parameter when extracting words and phrases to highlight, which allows remote attackers to execute arbitrary PHP code by double-encoding the highlight value so that special characters are inserted into the result, which is then processed by PHP exec, as exploited by the Santy.A worm.

Affected

28 ranges· showing 25
VendorProductVersion rangeFixed in
phpbb_groupphpbb
phpbb_groupphpbb
phpbb_groupphpbb
phpbb_groupphpbb
phpbb_groupphpbb
phpbb_groupphpbb
phpbb_groupphpbb
phpbb_groupphpbb
phpbb_groupphpbb
phpbb_groupphpbb
phpbb_groupphpbb
phpbb_groupphpbb
phpbb_groupphpbb
phpbb_groupphpbb
phpbb_groupphpbb
phpbb_groupphpbb
phpbb_groupphpbb
phpbb_groupphpbb
phpbb_groupphpbb
phpbb_groupphpbb
phpbb_groupphpbb
phpbb_groupphpbb
phpbb_groupphpbb
phpbb_groupphpbb
phpbb_groupphpbb

Detection & IOCsextracted from sources · hover to see the quote

url/viewtopic.php?t=<topic>&highlight=%2527%252ephpinfo()%252e%2527
path/viewtopic.php
snort
alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WEB-PHP RCE PHPBB 2004-1315"; flow:established,to_server; http.uri; content:"viewtopic.php"; nocase; content:"highlight="; nocase; http.uri.raw; pcre:"/[&?]highlight=[^&]*?\x2525[a-f0-9]{2}/i"; reference:cve,2004-1315; classtype:web-application-attack; sid:2021390; rev:3; metadata:created_at 2015_07_07, cve CVE_2004_1315, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2020_05_28;)
  • Look for double-encoded percent signs (%2525) in the `highlight` query parameter of requests to viewtopic.php — this is the canonical double-URL-encoding attack pattern used to bypass phpBB's sanitization and inject into preg_replace().
  • The Metasploit module probes for vulnerability by sending `highlight=%2527%252ephpinfo()%252e%2527` and checking the response body for the string `phpinfo` — this fingerprinting request can be used as a detection signature.
  • The exploit injects arbitrary commands via the `highlight` parameter by encoding each payload byte as `chr(<decimal>)` joined with `%252e` (double-encoded dot), forming a preg_replace /e modifier code execution chain.
  • The default phpBB root directory used by the Metasploit module is `/phpBB2` — monitor for exploit attempts targeting this path combined with `viewtopic.php` and a `highlight` parameter.
  • The Santy.A worm exploited this exact vulnerability via PHP exec; any process spawned by the web server (e.g., Apache/PHP) executing shell commands should be treated as a high-confidence indicator of compromise on phpBB 2.x installations.
  • The PCRE pattern `/[&?]highlight=[^&]*?\x2525[a-f0-9]{2}/i` (ET SID 2021390) matches the double-encoded percent sequence in the raw URI and is the recommended network-level detection for this CVE.
  • ·The vulnerability affects phpBB versions 2.0.4 through 2.0.15 inclusive (introduced in revision 3076, fixed in revision 5166). The NVD advisory specifically calls out versions before 2.0.11 for CVE-2004-1315; the Metasploit module also covers CVE-2005-2086 which extends the range to 2.0.15.
  • ·The Metasploit module automatically enumerates valid topic IDs (1–32) if none is specified; defenders should be aware that sequential GET requests to `viewtopic.php?topic=<n>` checking for `class="postdetails"` may precede the actual exploit attempt.

CVSS provenance

nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vulncheck7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.