Thanks for this.
The only fix to provide is to put this line on top of execution of addon_preview.php:
if (!defined('INCLUDED776')) die ('Fatal error.');
Possibly this was out from the very ancient times, and the exploit actually will work only if PHP's setting register_globals is set to ON, which nowadays, obviously, met truly rarely on hostings. Also, it would work only on miniBB installations which would have Preview add-on installed.
I've updated the official package regarding this fix. Thanks again.