For all of the users of phpBB that thought things were out of the woods might just want to step back for a second and take a look at a new posting from PHP Magazine about a possible "File Disclosure Vulnerability".

Remote exploitation of an input validation vulnerability in the phpBB Group's phpBB2 bulletin board system allows attackers to read the contents of arbitrary system files under the privileges of the web server. phpBB is an open-source web-based bulletin board system written in PHP. The problem specifically exists due to an input validation error that allows a remote attacker to control the arguments in a call to copy().

The basic idea here is that, using the avatar upload ability of the forum, a malicious user could execute their own code to run whatever copy() command that they would like, allowing them access to just about any file on the local filesystem.

Richard Heyes also notes the phpBB vulnerabilty in a post on his blog, phpguru. He also recommends FUDForum which according to Ilia has seen only three security issues in five years.