phpBB 2.0.22 Remote PM Delete XSRF
http://www.securityfocus.com/archive/1/487004/30/0/threaded 

Fix by Evaders99

http://evaders.swrebellion.com/forums/postp451.html#451
------------------------------------------------------------------------

This applies to all users of phpBB 2.0.22 as well as all phpNuke forums using BBToNuke 2.0.22

Fix is for all phpBB / Nuke Patched / Nuke Patched Core / RavenNuke
(Different file names, same code)

phpBB 2.0.22 - privmsg.php
phpNuke - modules/Private_Messages/index.php


------------------------------------------------------------------------

FIND

$s_hidden_fields .= ( isset($HTTP_POST_VARS['delete']) ) ? '<input type="hidden" name="delete" value="true" />' : '<input type="hidden" name="deleteall" value="true" />';

AFTER, ADD

$s_hidden_fields .= '<input type="hidden" name="sid" value="' . $userdata['session_id'] . '" />';

FIND

else if ( $confirm )
{

AFTER, ADD

	// session id check
	if ($sid == '' || $sid != $userdata['session_id'])
	{
		message_die(GENERAL_ERROR, $lang['Session_invalid']);
	}