>Due to a bug in the phpBB highlighting code it's possible to inject >PHP-code into the running script. E.g. It's possible to run system >commands if the PHP interpreter allows system() and simular functions. >This is actually based on an old bug which was improperly fixed in >phpBB 2.0.11.
phpBB versions 2.0.11 through 2.0.14 don't seem affected no? it was rather reintroduced in version 2.0.15 because they changed some things in this part of the code _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
