First there were Brazilian criminals. Now a phpBB worm is on the wild, defacing any websites still running old version of phpBB.
Idban already showed a quick fix for this to be placed in .htaccess file.
Alternatively, if you have mod_security installed, you can put this instead :
/etc/init.d/apache restart, and you’re set.