Yesterday (July 20th, 2007), a post was made on the popular Bugtraq mailing list about a so-called vulnerability in UseBB 1.0.7. This vulnerability includes an insecure value of PHP's PHP_SELF variable being used in forms in three old upgrade scripts that can be exploited for an "XSS attack". However, unlike the report states, this vulnerability should be rated far from "dangerous".
In short, this is not a UseBB vulnerability but one in old upgrade scripts which were used upto a couple of years ago.
As a resolution to this vulnerability, these three upgrade scripts have been removed from the source tree in CVS, since they were obviously no longer supported and possibly even not working anymore. If you have the install/ directory present in a publicly available forum, it is advised to remove it in any case, although the scripts should only cause SQL errors and perform no changes when used with an existing set-up.
I am not very satisfied by the way this vulnerability was made public. Next to it being rated "dangerous" without a valid reason, I have not been contacted about this vulnerability in advance to offer a resolution before the report was made public. I am very disappointed in the reporter (who calls himself "S4mi") and hope he/she understands the mistakes that were made.
Since this is not the first time we are plagued by partially false reports, we will start publishing our own security reports when necessary as of the release of UseBB 2.0.0.
Update (September 13th): I. Alshanetsky has found another so-called "vulnerability" in UseBB 1 and made a note about this in his talk about PHP security. The code which is said to be exploitable is not exploitable at all. The developer failed to check the code for security measures plus to report his (thus being false) discovery before making public notes about it. Read more about this on my blog.