Gentoo Linux Security Advisory GLSA 200503-02 - It was discovered that phpBB contains a flaw in the session handling code and a path disclosure bug. AnthraX101 discovered that phpBB allows local users to read arbitrary files, if the Enable remote avatars and Enable avatar uploading options are set (CVE-2005-0259). He also found out that incorrect input validation in usercp_avatar.php and usercp_register.php makes phpBB vulnerable to directory traversal attacks, if the Gallery avatars setting is enabled (CVE-2005-0258). Versions less than 2.0.13 are affected.
b4cb2c0bc5261f26b321b308ca3bb029882790cb78626aa79aa2b52c25a7c28a
iDEFENSE Security Advisory 02.22.05 - Remote exploitation of an input validation vulnerability in the phpBB Group's phpBB2 bulletin board system allows attackers to unlink (delete) arbitrary system files under the privileges of the web server.
8a6f19eb9ba57da2748ca989db18c6ee62630c633912223b282be4427a4d42ef