Fair enough ;)
Shame it's too dangerous to let her know the real site could be so modified.
I call the website "her blog" because it runs on Serendipity which calls itself a "weblog application". If the point wasn't in the distinction between "her blog" and "her website", then I missed it.
Is that copy of the website a record of a modification to the live site or is it limited to the copy?
Related: Given the treatment Bailey is receiving, can anyone advise on the correct way to inform Paula Bennett if, hypothetically, her blog seemed to be vulnerable to SQL injection?
IANAL, but for those with legal concerns:
(1)Every one is liable to imprisonment for a term not exceeding 2 years who intentionally accesses, directly or indirectly, any computer system without authorisation, knowing that he or she is not authorised to access that computer system, or being reckless as to whether or not he or she is authorised to access that computer system.
(2)To avoid doubt, subsection (1) does not apply if a person who is authorised to access a computer system accesses that computer system for a purpose other than the one for which that person was given access.
I think it's fair to say that a self-service kiosk implies a certain level of authorisation to access the system (where "system" is defined in the Act as stretching to encompass the network). My reading of subsection 2 is that once they've given you access, you can have at anything which isn't bolted down, so long as you limit your activities to viewing so as not to engage the parts of the Act which cover damaging or interfering.