A new exploit is already out for phpbb 2.0.13. I've asked the phpbb development team about it, and they say it will be fixed in version 2.0.14.

It's a way to make yourself admin through exploitation of cookie data. Here's the fix anyway:

Add
$userdata['user_level'] = USER;

after every
$userdata['user_id']
= ANONYMOUS;

in session.php

Thanks for sharing this information with us. This will definately help most of the people using PHPbb

You mean sessions.php, right?

It's located in the includes folder.

I found just two instances of



is that all?

I don't know PHP very well, so could you confirm that this is all right?

Thanks.

I beleve it is,

You should take up a cource in php or asp.
Its really cool or you could go onto Win server 2005 or 4, which ever ones out now.

Anyway, as usual my sig-
Thanks,
FFC Webmaster,
Asad Haider.

Thanks for telling us about this flaw. I upgraded as soon as I found this out!
To everoyne else - Make sure that you upgrade your version of phpBB as soon as possible, it is a good habbit to always upgrade

Yes I strongly Advise everyone on phpBB to upgrade to 2.0.14 ASAP. My Clan was on phpBB 2.0.13 and some people who disliked us did the same thing and deleted our forums several times.

why not just upgrade to 2.0.15? it's already released.