I could, but I won't. While your intentions might be honourable enough, there's no guarantee that the next person who reads this thread will have the same innocuous intentions.

You can almost certainly set up suitable logging via your web server to trap the request that's being made that's causing the malicious content to be injected. That should allow you to figure out how to simulate the request, and hence help you close the hole.

Sorry to not be more help.

Update: Yet another grammatical fix.