phpBB Improper Initialization Vulnerability - CVE-2001-1471

prefs.php in phpBB 1.4.0 and earlier allows remote authenticated users to execute arbitrary PHP code via an invalid language value which prevents the variables (1) l_statsblock in prefs.php or (2) l_privnotify in auth.php from being properly initialized which can be modified by the user and later used in an eval statement.