Your fix worked for POST but then again someone found another way to do it
http://example.com/forum/vbshout.php?instanceid=1&do=ajax&action=fetch&shoutorder=DESC&type=chatroom_2
it will show the chat room xml even if you dont have permissions to see it
By using an external form like this:
<form action="http://www.nameOfSite.com/forum/vbshout.php" method="POST">
<input type="text" size="20" name="securitytoken" value=""><br> <!-- Security token can be found at the source of a website -->
<input type="hidden" size="7" name="do" value="ajax">...