[原文]MyBB (MyBulletinBoard) 1.1.0 does not set the constant KILL_GLOBAL variable in (1) global.php and (2) inc/init.php, which allows remote attackers to initialize arbitrary variables that are processed by an @extract command, which could then be leveraged to conduct cross-site scripting (XSS) or SQL injection attacks.
MyBB contains a flaw that may allow a malicious user to manipulate arbitrary script variables. The issue is triggered when a remote attacker accesses the global.php script which may allow the manipulation of arbitrary script variables or the execution of arbitrary code resulting in a loss of integrity.
Upgrade to version 1.1.1 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.