C-Note-05-007: phpBB Vulnerable to Arbitrary File Disclosure (03/01/05)

The phpBB input validation methods may fail to sanitize user input resulting in a disclosure of arbitrary file data. If the remote avatar and remote avatar uploading functions are enabled (they are disabled by default), a remote authenticated attacker that is allowed to specify remote avatars may be able to access arbitrary files on the phpBB server with the permissions of the web server.

It is recommended that you upgrade to phpBB 2.0.13.
http://www.phpbb.com/phpBB/viewtopic.php?t=267563

CIAC would like to thank US-CERT for this information.
http://www.kb.cert.org/vuls/id/774686