Janek Vind (waraxe) has found more security issues in phpnuke. We are reviewing his findings now and will report back soon. See this link for the gory details.

All Oracle Corp. Applications and most E-Business Suite customers are at high risk from multiple, critical SQL injection vulnerabilities. The vulnerabilities were uncovered by Stephen Kost from the security firm Integrigy Corp. Read Article  Read More...

We are aware that some new exploits/advisories have been issued concerning phpnuke and we are looking into those reports right now. If we find that they are legitimate, we will determine a solution and will make it/them available ASAP.

PHP-Nuke 7.3 security and bug fix update.
Fixes:
Path disclosure in security check of files.
Included instructions mainly cover that one but included files also cover:
Sql Injection filter update
Stories categories show as already existing even if they don't.
Missing semi-colon in admin stories file
Downloads orderby fix
Mailpasswd username length limit
Incorrect user validation in Your Account module
Stories with timestamp 00:00:00 don't show in Stories_Archive.
Single quotes in content category description.
Multiple vulnerabilities SQL injection and XSS
Download here.

Note: 

Update: Forum files removed from patch and security fix applied to the Reviews module.

BobMarion writes:  

This was uncovered by NSN Sentinel™ when applied to the test sites.

In Your Account's index.php file you will find 4 placements of:
getusrinfo($user);
if (($userinfo[username] != $cookie[1]) AND ($userinfo[user_password] != $cookie[2])) {

These should be:
cookiedecode($user);
getusrinfo($user);
if ((is_user($user)) AND ($userinfo['username'] == $cookie[1]) AND ($userinfo['user_password'] == $cookie[2])) {

Note: 

Admin note: Code updated 5/28/04, our thanks to Dogman.

I've started a topic in the Security Forum regarding reports of Unsolicited Security Advisories. Please read this as an actual advisory and feel free to contribute to the discussion.

sixonetonoffun