Recently discovered security issue may bring the SQL injection, it all happens because the $cook variable in bb_cookie.php is not verified.
It all will work (as usually) if PHP setting register_globals is set to ON, additionally magic_quotes_gpc set to OFF.
Quick fix is to add 'cook' value to the $unset array which appears at the very top of index.php and bb_admin.php files. For example if you have
add to the end 'cook' value separating it by comma.
Credit goes to mr. Stefan Esser who kindly discussed this issue privately with us not reporting it to public. Thank you.