#3 Security problem

[kestasjk]

I conducted an audit of your code, I didn't take into account abusive servers, only abusive users.
I found no SQL injection or Javascript injection problems, all inputs are well escaped, I only found one problem:

index.php: include('include/out_'.(preg_match('/[a-z]+/',$include=@$_GET['inc']) && is_file("include/out_$include.inc.php") ? $include : $include="index").".inc.php");

and

out_plugin.inc.php: if(preg_match('/[a-z]+/',$plugin=@$_GET['plugin']) && is_file($file='plugins/'.$plugin.'/out.inc.php')) {

The regexes used only check that there is a charecter a-z somewhere in the $_GET[''] variable, not that the whole thing is a-z as intended. It should be
preg_match('/^[a-z]+$/'

On older versions of php you can do file_exists('directoryThatDoesntExist/../SomeFile.php');, so on older versions of php you can use the code above to include any file on the webserver that ends in .inc.php .