This hole appears to affect all versions of PostNuke from the initial release up to .6.4. If you are running a older version, or would just perfer to patch your own, here is the simple fix:
In article.php somewhere around line 50, you should see this snip of code:
if ($save) {
cookiedecode($user);
mysql_query("update $pntable[users] set umode='$mode', uorder='$order', thold='$thold' where uid='$cookie[0]'");
getusrinfo($user);
$info = base64_encode("$userinfo[uid]:$userinfo[uname]:$userinfo[pass]:$userinfo[storynum]:$userinfo[umode]:$userinfo[uorder]:$userinfo[thold]:$userinfo[noscore]");
setcookie("user","$info",time()+$cookieusrtime);
}
in the very first line you will want to replace:
if ($save) {
with:
if (($save) && (is_user($user))) {
What this does is check to see if the user is actually logged in or is anonymous before the cookie. This fix has been verified on this site, along with the sub sites, before and after. This appears to plug the hole.
I believe this fix will work for PHPNuke users as well, in case a fix is not forthcoming.
Apologies on this one, I wish we had caught it before the release of .6.4, but better late than never.
Download the fix from SourceForge -- In the fix file packages.
1792