Cross-site scripting (XSS) vulnerability in MercuryBoard 1.0.x and 1.1.x allows remote attackers to inject arbitrary HTML and web script via the f parameter.
http://secunia.com/advisories/13937
http://lostmon.blogspot.com/2005/02/mercuryboard-forumphp-f-variable-xss.html