Take a look at this: http://www.onsugar.com/CHANGELOG.txt
You will notice that the most recent entry reads this: "Drupal 4.7.0, 2006-05-01". It would be great if we could hear from an admin if they're really running this system on a insecure and 2-year old version of the Drupal CMF? The latest version of Drupal 4.7 before it got discontinued was 4.7.11. This means that 11 security patches were not applied. More than that the current "big" version of Drupal is Drupal 6, and Drupal 7 is in development. All I can hope is that the CHANGELOG.txt is intentionally false to cause confusion to any would-be abuser.
I popped a response to you on http://drupal.org/node/310996 - we're secure and not using the version of drupal referenced in the changelog- we'll whack that shortly.