"Lying in a featherbed will bring you no fame, nor staying beneath the quilt, and he who uses up his life without achieving fame leaves no more vestige of himself on Earth than smoke in the air or foam upon the water." -Dante Alighieri
Darkcoder found a flaw in realistic 12 that allowed him to read any file through the guest.pl script. The bug was that user-input was checked before the uri escape was done, allowing him to specify any character he wanted.
Nines9 and StenoPlasma found a CSRF vulnerability in the Forum BBCode that allowed them to make themselves site administrators, log out users, flag comments, accept and delete IRC linked Nicknames, etc.