There is a phpBB worm and anti-worm worm on the loose. What is interesting is that neither PHP nor phpBB are taking responsibility for it.
PHP: “A recent Web Worm known as NeverEverSanity exposed a mistake in the input validation in the popular phpBB message board application. Their highlighting code didn’t account for double-urlencoded input correctly. Without proper input validation of untrusted user data combined with any of the PHP calls
that can execute code or write to the filesystem you create a potential security problem. Despite some confusion regarding the timing of some unrelated PHP security fixes and the NeverEverSanity worm, the worm didn’t actually have anything to do with a security problem in PHP.”
phpBB: “Recently a serious exploitable issue was discovered in PHP (the scripting language in which phpBB, IPB, vB, etc. are written) versions prior to 4.3.10. The problematical functions include unserialize and realpath. phpBB (along with a great many other scripts including IPB, vB, etc.) use these two functions as a matter of course.
It has come to our attention that code has now been released which uses this exploit in PHP to obtain confidential information in phpBB. Such information includes data contained in phpBB’s config.php file. We therefore recommend the following:
1) If you maintain your own server be sure to upgrade to the newest available release of PHP (both versions 4 and 5). Be aware that at this time phpBB 2.0.x has problems functioning under PHP5 without modification.
2) If you pay for hosting ensure you hosting provider has upgraded their installation of PHP (again remember that phpBB 2.0.x and other scripts will not function under PHP5 without modification)”