CVE 2006-4758
phpBB 2.0.21 does not properly handle pathnames ending in %00, which allows remote authenticated administrative users to upload arbitrary files, as demonstrated by a query to admin/admin_
See the
CVE page on Mitre.org
for more details.