Please! Check your modules/Reviews/index.php file for the following code. There should be 2 instances.

WHERE id=$id

If you have it, then you MUST modify it to

WHERE id='$id' .

Otherwise your admin passwords can be exposed. They are still encrypted, but depending on how serious someone was to get them, they might! please note that Chatserv's Patches have this fix in them, but FB should have patched his releases by now and hasn't!

Admin Note: See this post for further discussion and code for protecting your site.

Additional variable validation added to the Surveys, Sections, Reviews and Search modules, corrected some core bugs in versions 7.0 and 7.1. For those that don't know what PHP-Nuke Patched is, these are not full packs, not all files are included, only those that have been secured. These files attempt to secure PHP-Nuke as best as humanly possible by providing variable validation to help avoid sql injection code to be inserted and also helps by authenticating the url address used in many cases to block intentionally altered browser address urls. I had made some modifications to the previous version but had not changed the version number as the changes were minor and did not warrant it, this time the changes do merit a new version so here it is

Download locations:
Nuke 6.0 · Nuke 6.5 · Nuke 6.6-6.8 · Nuke 6.9 · Nuke 7.0 and Nuke 7.1

takaharu writes:  

Hi guy's ,

just wanted to advise you that some idiot is sending emails looking llike coming from MSN in which the claim that you need to verify your account. If you click the URL to do so (the url looks like https but takes you to a regular http page) you will be asked for your creditcard details , email address , email password , etc....
 Read More...

chatserv writes:  

This will be the last pre-stable release of the patched version of Nuke, although these files have been tested and no visible bugs have been detected they have been given a RC status tag so that any bugs i may have missed can be reported by users before they can be considered stable and bug/error -free. The following is a overhead description of what the patches cover:

. New Abstraction layer conversion.
. Variables quoted on all sql queries.
. Security check added to most variables.
. Bugs in core files fixed.
. Previous sec-fix patches applied.

Downloads:
Nuke 6.0 - Nuke 6.5 - Nuke 6.6-6.8 - Nuke 6.9 and 7.0 (ALPHA2 - fully operational, current version to be patched shortly).
 Read More...

In searching out the exploits of Nuke this month, I came across another one that Nuke Cops was not aware of. I reported it to ChatServ and he graciously and expeditiously supplied yet another patch. Interestingly enough, although the hole is in the admin.php logic, it is repaired in auth.php. Read this post for the fix.

Admin Note: I have updated the v6.9 download pack, from this site, as of 10/14/2003 22:25 to include this patch.

From NukeCops: "Recently a security hole was announced in reference to an admin.php exploit where anyone can obtain PHP-Nuke administrator access."

I have added a few lines to the suggested fix to make it a bit easier to know which function call to use. Please see this post for the fix.

Admin Note: I have updated the v6.9 download pack, from this site, as of 10/14/2003 17:25 to include this patch.