Help Net Security has word of a serious issue with PHPnuke: "After testing just a few scripts on phpnuke I have noticed the following:
Some fields in the registration form allow code
and fail to filter out the tags.
e.g Interests: src=http://www.anything.com/defaced.gif>
Also when faking a form and posting from local file (user.php.html) after editing a few
fields like the avatar picture for example, it is possible to escape surtain dirs with the
../../../../dir/pic.gif in the options field."