That risk could have been eliminated by converting every uploaded image to TIFF (say) and then to PNG. Or to PNG then to GIF. This simple solution would also have the advantage of disallowing those irritating animated avatars.
EDIT: or just prohibit GIF images, why not?
You haven't looked at it carefully, PNGs & JPEGs & BMPs are also affected. Not sure about TIFF.
I have read more carefully now. The hack seems to be entirely dependent on the HTML page using a <script...></script> tag with the image file named as the script source. Why would the forum pages do that? If the avatar image is used only inside <img ...></img> tags, any javascript embedded in the file will never be executed. Isn't it so?
The risk described there seems to be a
malicious site using that trick to send javascript to the browser without using a file with ".js" extension. In that case, an investigator who is watching the files being fetched, looking for javascript code, may fail to recognize that one.
In any case, image converters like ImageMagick will ignore any javascript in the hacked header (or will choke on it), and convert the pixels to a different bit encoding; so that a doubly-converted image will be safe.