phpBB had an early X-mas gift in the form of a release of phpBB 2.0.22. The release fixes a number of security issues as well as functional issues. The security issues can be summarized as:

• Check for the avatar upload directory reinforced
  
• Changes to the criteria for "bad" redirection targets
  
• Fixed a non-persistent XSS issue in private messaging
  
• Fixing possible negative start parameter
  
• Added session checks to various forms
  

Considering the past exploitation of phpBB vulnerabilites, it might be best not to postpone this upgrade till after the holidays and get to it now.

Don't forget to upgrade both the files and run the script as well as applying the patch to the subSilver template in any derived template you might have.

--
Swa Frantzen -- Section 66