phpBB Remote Avatar exploit

It recently came to my attention that phpBB's remote avatar exploit is still there! Yes, v2.0.17 is still vulnerable to this exploit. A patch is in the works and probably in the next few days we'll see phpBB 2.0.18.