I think they've fixed this now. I just installed the script. What do you put in each field (username and password) to test for this injection?