Recently it has been discovered
that there is a little defect in miniBB's code which in theory allows to execute remote SQL.
Currently this bug is fixed in 2.1a.
The manual fix is: modify bb_func_search.php and locate the following code:if(isset($_GET['where'])) $where=$_GET['where']+0; else $where=0;
after that code paste the line:if($where!=0 and $where!=1) $where=0;
The mentioned Exploit will work (again) only in those cases if you or your provider are not carrying about the security on the server and upon installing the software:
1) if register_globals of php.ini is set to ON (not recommended by PHP team)
2) if via installation of miniBB you have not renamed default table names as it is recommended by miniBB team.