We've just discovered a serious security issue found in all versions of phpBB. By default all registered users are allowed to edit their own posts and this opens up all phpBB forums to an advanced form of SEO spam

It's working like this:

1. A user registers and posts a couple of legitimate posts asking for help on various topics related to the forum. The forum owner will think it's the real deal.

2. After a couple of weeks (about 3 weeks in our cases) the user returns and edit their original posts filling them with spam links.

An edit of a forum post will not set any alert and will not show up in any way like for example a reply will do. Therefore this will go completely unnoticed as long as no other user reply to the post or the admin is going thru all old posts every now and then to check for spam since the post has already been checked when the admin replied to the post

This is a serious problem, but it's easy to fix: Just login to your forum admin page and remove all privileges for registered users to edit their own posts.

This fix will of course reduce the functionality of your forum, but for now there's no other fix.....