I'd see if I could email the admin first, I can't see why that wouldn't be effective - I've done so before on numerous occassions and they're usually pleased that I'm pointing out the flaw rather than exploiting it. However, I accept Nitro's point that some admins will get very suspicious, so be polite and don't make the admin think that you believe them to be an idiot, as they generally know a lot more about computers & security than you do.

You could try powertoad's suggestion of phoning the admins, although whois doesn't always give phone numbers or addresses, and the switch board may not put you through to the IT department and you'll often have to deal with mindless idiots for half and hour before you actually speak to whoever's in charge of security. It's worth a try, but only if you think you'll get through and live in the same country as the admins, otherwise you might get a hefty phone bill!

Whatever you do, you should definitely inform the admin team, by anonymous email if necessary.