=== modified file 'includes/form.inc'
--- includes/form.inc	2009-04-11 22:19:44 +0000
+++ includes/form.inc	2009-04-19 05:46:00 +0000
@@ -1822,6 +1822,10 @@ function form_ahah_callback() {
 
   // Get the form from the cache.
   $form = form_get_cache($form_build_id, $form_state);
+  if (!$form) {
+    // Invalid form_build_id posted, likely a hacking attempt. Just do nothing.
+    exit;
+  }
 
   // We will run some of the submit handlers so we need to disable redirecting.
   $form['#redirect'] = FALSE;
@@ -1841,7 +1845,9 @@ function form_ahah_callback() {
 
   // Get the callback function from the clicked button.
   $callback = $form_state['clicked_button']['#ahah']['callback'];
-  $callback($form, $form_state);
+  if (drupal_function_exists($callback)) {
+    $callback($form, $form_state);
+  }
 }
 
 /**