Fix 0012607: LFI/PD/XSS in upgrade_unattended.php

This is a backport of the fix applied to the 1.2.x and 1.3.x branches.

Gjoko Krstic of Zero Science Lab has kindly reported in detail a number
of vulnerabilities in the admin/upgrade_unattended.php script.

Earlier patches by Victor Boctor (MantisBT developer) resolved the
issue. This patch enhances those changes to strengthen the security of
this script even further.

Please note that the "admin" directory SHOULD BE DELETED AFTER
INSTALLATION on all live instances of MantisBT.