Gregg James "greggles" Knaddison has released a book about Drupal security entitled Cracking Drupal. Has anyone here been able to pick up a copy yet?
Barring disastrously negative reviews, I'll probably pick it up. Even if I learn nothing new, there's some value in remembering and reinforcing the basics.
Reading through the blog entries on the promo site, I came across this one which contains a particularly devious JavaScript which will attempt to change the password of User 1 to whatever you wish. Just find a way to get User 1 to execute it - a cinch of you, as a less-privileged or even anonymous user, have access to the "Full HTML" input filter - and voila, you now have access to their account. Have you double-checked your input filter permissions recently?