Ulf Harnhammar found 2 security bugs in L-Forum:
1. subject, from and e-mail fields ain't passed through
htmlspecialchars, so it can contain possibly danger
2. there's exploit on attachment system that can get
any file from server to which user have access
Here is patch that fixes that bugs.