There is a known vulnerability in version 0.4.7.1 and below. The exploit involves the "install05.php" file.
Make sure you delete all the "install" files after you have created your password and configured your blog.
This vulnerability has been fixed in 0.4.7.2. Also, deleting the "install05.php" in previous versions will fix the issue.