I post some HTML in a message to the BBS, with some carefully crafted javascript or vbscript embedded in it
the BBS admin opens up the message
the BBS software has failed to filter my script out properly
my script gets to run
my script is now running in the admins browser and therefore with all the admin's rights


Oh, okay, well as a security guy, the first thing I note in your complex scenario is that the admin is running software (in this case his browser) with a priveleged account on the same server that the BBS is running on. I can stop reading, because at that point anything can happen. That's asking for trouble. Besides, the default security settings in Netscape and IE don't allow for most of the things you're talking about to happen, they'd have to explicitly be turned to the lowest setting, which, if I'm not mistaken, is called "Please, Oh Please Do Bad Things to My Computer."

I'm not trying to trivialize good security practices, because I know some of this stuff isn't easy to remember and is sometimes a pain in the butt to follow. And yes, it's easier to just disable HTML markup rather than worry about what demons might be lurking in the PHP product's HTML filtering capabilities... But your scenario really relies on the administrator running a client program with permissions to do bad things to the web server... To that, I say "you reap what you sow."