The calendar module PostSchedule is vulnerable for a SQL injection. Some sites have already been hacked after the public announcement of the exploit on milw0rm.com last week.

According to Carls, the PNphpBB2 administrator:

...there is a serious [exploit](if the hacker knows what they are doing) to inject SQL into the viewforum .php script and possibly obtain passwords hashes.

As this is a very serious issue, all users of this module should refer to the following post, and to the vendor's site in general. http://pnphpbb.com/index.php?name=PNphpBB2&file=viewtopic&p=31253 Take immediate care to patch your site, and to review your logs to make sure you are not a victim of this exploit.

This security advisory is to inform anyone using pnFlashGames, there is a chance of a website being compromised through this module. As stated by Secunia, there is "... a vulnerability in the pnFlashGames module for PostNuke, which can be exploited by malicious people to conduct SQL injection attacks".

As the online version of German computer magazine "c't" today reported, a security flaw in Postguestbook lead to a number of defacements.

A security problem has been reported in Pagesetter version 6.2 to 6.3beta5 - The latest version 6.3 final is not affected. If you still run one of the listed versions the PostNuke team recommends to update to 6.3

Description

PostNuke is an Open Source, open-development content management system (CMS). PostNuke is still undergoing development, but a large number of core functions are now stabilizing and a complete API for third-party developers is now implemented. The PostNuke Development Team has been notified about a vulnerability in the 0.763 version of PostNuke.

CVE Reference: CVE-2006-5733

Description

PostNuke is an Open Source, open-development content management system (CMS). PostNuke is still undergoing development, but a large number of core functions are now stabilizing and a complete API for third-party developers is now implemented. The PostNuke Development Team has been notified about a vulnerability in the 0.762 version of PostNuke. Version 0.800 (currently in development) is unaffected.

CVE Reference: CVE-2006-5121

The PostNuke development team is pleased to announce the release of PostNuke .762. This release addresses a number of issues found since the release of .761, and also introduces new security enhancements.

PostNuke .762 has been audited by Maksymilian Arciemowicz of www.securityreason.com for security vulnerabilities, and as a result a great deal of work on security has gone into this release. The PostNuke team thanks Maksymilian for his work, and we hope this will improve PostNuke's existing strong security record. Further audits will be carried out on the PostNuke .8 codebase prior to release.

As a result of the security enhancements in .762, it is advised that all site administrators update their sites immediately to ensure they stay secure.

Arbitrary SQL code execution via adodb (when DB-user is 'root' without password)

DESCRIPTION
PostNuke is an Open Source, open-development content management system (CMS). PostNuke is still undergoing development, but a large number of core functions are now stabilizing and a complete API for third-party developers is now implemented. The PostNuke CMS Development Team was notified by secunia.com about a vulnerability in the adodb database abstraction layer.

Anonymous posting via Comments module (used in PostNuke CMS < 0.761)

DESCRIPTION
PostNuke is an Open Source, open-development content management system
(CMS). PostNuke is still undergoing development, but a large number of core functions are now
stabilizing and a complete API for third-party developers is now implemented. A PostNuke CMS Development Team member discovered a vulnerability in the Comments module within the 0.7x release cycle.