I was hoping to keep this fix silent until the release of v6.00.400, but it has come to my attention that some people have discovered it. The exploit affects forum attachments, similar to the avatar exploit fixed in v6.00.305, so I would prefer not to release the exact details. I have adapted the new attachment code for v6.00.306 and you can download it now.
Existing v6.00.305 users can download the file '6.00.306 update for v6.00.305'. If you are using an earlier 6.00.3 version ensure you upgrade to v6.00.305 before applying this update. Simply upload the inluded files and click upgrade under System Admin. The Sourceforge packages have also been updated as usual. If you wish to update manually please refer to the forum thread Manual update for v6.00.306.
Update: There was a minor error in the downloads which prevents attachments from working. This has now been corrected, simply reupload the files contained in the update zip. Sorry about that.
