You need to be admin for this to work and know the admin page but still could be dangerous.
Which way it could be dangerous? You as admin suppose to hack your own site? ;-) This is what we call a "pseudo" vulnerability and it has been reported to us earlier
. We will fix it in the next stable version of miniBB (plan to start to work on it in November).
Regarding bb_func_checkusr.php you are right and the easy fix is that at the top of that file, right after <?php tag or below the Copyright comments, paste the line:
if (!defined('INCLUDED776')) die ('Fatal error.');
Truly, this full path won't give you a lot of possibilities to hack, but anyway, this is the error we will fix in the next release as well. Thanks for your report!