Just a few days after phpBB 2.0.12 is released, this comes out today:

Quote Originally Posted by phpBB
phpBB Group announces the release of phpBB 2.0.13, the "Beware of the furries" edition. This release addresses two recent security exploits, one of them critical. They were reported a few days after .12 was released and no one is more annoyed than us, having to release a new version in such a short period of time.
Fortunately both fixes are easy and in each case just one line needs to be edited.

The first issue is critical (session handling allowing everyone gaining administrator rights) and we urge you to fix it on your forums as soon as possible:

Code:
Open includes/sessions.php 

Find: 
Code: 
if( $sessiondata['autologinid'] == $auto_login_key ) 

Replace with: 
Code: 
if( $sessiondata['autologinid'] === $auto_login_key )

A second minor issue reported to bugtraq several days ago was the path disclosure bug in viewtopic.php which got fixed by applying the following steps:

Code:
Open viewtopic.php 

Find: 
Code: 
$message = str_replace('\"', '"', substr(preg_replace('#(\>(((?>([^><]+|(?R)))*)\<))#se', "preg_replace('#\b(" . $highlight_match . ")\b#i', '<span style=\"color:#" . $theme['fontcolor3'] . "\"><b>\\\\1</b></span>', '\\0')", '>' . $message . '<'), 1, -1)); 

Replace with: 
Code: 
$message = str_replace('\"', '"', substr(@preg_replace('#(\>(((?>([^><]+|(?R)))*)\<))#se', "@preg_replace('#\b(" . $highlight_match . ")\b#i', '<span style=\"color:#" . $theme['fontcolor3'] . "\"><b>\\\\1</b></span>', '\\0')", '>' . $message . '<'), 1, -1));
As with all new releases we urge you to upgrade as soon as possible. You can of course find this download available on our downloads page. As per usual three packages are available to simplify your upgrade.