Hi. I'm new to this board (this is my first post). Here's my question:

I'm running a phpbb2.0.11 board on XP SP2 using apache 2.0.52, php 5.0.3 and mysql 4.0.19. Each of the forums on the board is 'private', and I have three groups of users: group A is granted access to everything, group B is granted access only to some of the forums and group C is granted no special access to anything (it is used so that I can send emails to a subset of the users).

I recently moved a particular user from group A to group B and that user has now told me that she is in fact able to view all of the forums even though she is in the restricted group (she remains in group C as well but that group has no special access rights to anything).

She says that the way she figured out to gain access to the forums she is not supposed to have rights to read was 'simple'.

I'm assuming she did not get a username and password from any user in the other group. Any ideas about what a 'simple' way would be for a user to gain access to a private phpbb forum when she is not in a group that has been granted access and has not seperately been granted access as a user? (I checked the DB tables and in fact she is only in the restricted group and no permissions ahve been changed.)

I know it is possible to crack this stuff through brute strength (particularly since we do not require difficult passwords), but since she said what she did was 'simple' I am guessing that is not what she did.

Any ideas?