Multiple SQL injection vulnerabilities in phpfreeBB 1.0 allow remote attackers to execute arbitrary SQL commands via the (1) id parameter to permalink.php and (2) year parameter to index.php.