From ChatServ at Nuke Cops

Recently a sql injection vulnerability has been reported that relates to the Downloads and Web Links modules where an admin account can be created by passing a sql line through the $cid variable, i have patched both modules not only to block this code to be passed through the $cid variable but on all similar variables as well, patch your websites.
Download for PHP-Nuke 6.5-6.9
Download for PHP-Nuke 6.0

Admin Note:I have updated the v6.9 download pack, from this site, as of 10/9/2003 18:25 to include these patches.

These files have been updated since this message was posted! You need to download them again by clicking on the pertinent link above!!

Security Alert 7/20/2003!
I've been helping a user today. He couldn't login as Admin and upon investigation it just looked like a case of a forgotten password. Once I got him up and running, he said he knew he had never entered that author name in the God record. He inspected the nuke.sql file from his v6.8 distro and the INSERT statement to nuke_authors came preinstalled (thank you very much ) with a user 'aaa' and a password that of course was MD5'd! He said he got the v6.8 from a link on nukephp.org.

I won't bother preaching about using versions that aren't public and aren't from reliable sources. Be warned, however, to make sure you know your sources!

Read this post for more on this.