Pixie 1.0.4 allows an admin/index.php s=login&m= XSS attack.