X_FORWARDED_FOR is not filtered through htmlspecialchars here:

$this->browser= (!empty($_SERVER['HTTP_USER_AGENT'])) ? htmlspecialchars((string) $_SERVER['HTTP_USER_AGENT']) : '';

$this->forwarded_for=(!empty($_SERVER['HTTP_X_FORWARDED_FOR'])) ? (string) $_SERVER['HTTP_X_FORWARDED_FOR'] : '';

So, it will be possible to use this vulnerability, if some mod use these lines and x_forwarded_for here.

Taken from PhpBB 3 Vulnerability and Forscripts.Net On-Line Test 1/2008