SECURITY UPDATE - 5.0.21
Janek Vind has kindly let us know about a potential SQL injection issue in Phorum 5.0.x. A properly crafted search URL could reveal data from other tables in the database. It is not possible to delete or alter the data using this exploit, only view data. That however is still serious.
This does not affect users who's PHP settings have register_globals off. Since PHP 4.1, the PHP team has recommended that register_globals be disabled. This has been the default since 4.2. However, many web hosts have left this feature enabled as users that did not understand the ramifications were accustomed to its power.
To fix this issue, either disable register_globals or upgrade to 5.0.21. I recommend both. You can read more about register_globals at the PHP web site.