crypto writes:  

Security Alert: phpBB Group phpBB Arbitrary File Disclosure Vulnerability! The remote exploitation of an input validation vulnerability in the phpBB Group's phpBB2 bulletin board system allows attackers to read the contents of arbitrary system files under the privileges of the web server.

Exploitation of this vulnerability allows remote attackers to view arbitrary system files under the privileges of the underlying web server. An attacker must have, or be able to create an account on the target system. Non-default settings must also be enabled for exploitation to be possible. Upon successful exploitation an attacker may be able to further compromise the system by gleaning system information that would otherwise be inaccessible to the attacker. Read More...

Note: 

Chatserv believes that these issues have been fixed in 2.0.12. I am posting this for awareness, though, in the event you haven't fixed yours yet :)

Visiting the NukeCommerce site the past couple days would have revealed the following message.
nukecommerce will be back online shortly. The world would be a better place if certain indivduals would stop hacking opensource software sites, I'm sure we'd all be a little better off.. Since somebody hacked the site we have sent all of our monitoring logs to the appropriate agencies, and we have been advised to not open our site back up.

Now this is a pretty non descript statement put out by the team there. What happened in detail only time will tell. But I have had the opportunity to download and briefly test the recent NukeCommerce1.5.0 version but have no way of knowing if this was the package being used on their site.
I’ve started a poll and discussion here.
 Read More...

PHP-Nuke Patched 2.9 is ready and the initial versions have been released, aside from taking care of several bugs and vulnerability fixes 2.9 changes how file access is checked and silences all calls to files, $inside_mod was changed to a INSIDE_MOD definition instead of a variable and left in place for use in Nuke Patched 3.0.

Currently released patches are for PHP-Nuke 7.3 through 7.6, their download links are available in the front page of this website both in full zip version and on separate CVS files, the patches also include a changes file for those that prefer to update manually. The rest of the patches will be released in the following days.

crypto writes:  

There have been reported two vulnerabilities in PHP-Nuke, which can be exploited by malicious people to conduct cross-site scripting attacks. The vulnerabilities have been reported in version 6.x through 7.6. Other versions may also be affected.

Some input isn't properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of a vulnerable site. Read More...

Bad news. I just read on Bruce Schneier's blog that SHA-1 has been broken. Bruce states:

SHA-1 has been broken. Not a reduced-round version. Not a simplified version. The real thing.

He continues: This attack builds on previous attacks on SHA-0 and SHA-1, and is a major, major cryptanalytic result. It pretty much puts a bullet into SHA-1 as a hash function for digital signatures (although it doesn't affect applications such as HMAC where collisions aren't important).

This is a big deal.

From International PHP Magazine Issue: 3.2004 - by Robert Peake

"This article, PHP Cryptography - An Introduction Using Mcrypt, will define two-way key cryptography and explain how it differs from other well known PHP functions, like md5 and rot13, and when it is appropriate to use one-way hashing or two-way encryption. Then we will step through installing mcrypt as a dynamically loadable extension. We will explore two applications: encrypting cookies, and encrypting database information (such as credit card numbers). The article will point out some of the security implications of creating an encryption/decryption scheme in a plain text scripting language, and offer solutions such as encoding, source-compiling commands, and authoring new extensions."