Hi All.
Each day I'm discovering new security holes in phpBB mods...
What I discovered today regards Flash Chat mod or any other mod which can allow login to db by not using the standard login.php page (or login_xs.php for XS).
Which is the risk?
The risk is really simple: passwords may be brute forced.
So, if you are using a mod which doesn't have security measures against passwords brute force or not secured login form... then you should choose a complex password for all the board admins.
The risk is high if your password is short and only alphabetic.
Attackers may obtain admins password and then access the board with admins privileges.
At the moment I don't know how many mods may be subject to this risk... obviously chat mods are exposed more than other mods...
phpBB XS doesn't contain any chat... even if you will find chatbox mod in contrib folder of next release... use these mods at your own risk... or find a way to secure them against brute force.