John Cox has a more detailed look in one of his new weblog posts at a note from the PHPSec mailing list concerning SilverNews.

I have never seen a title as long and filled with more exploits as the recent security notice on Silvernews. SQL Injection, login Bypass, remote commands execution, cross site scripting all rolled into a single exploit.

I disagree with this being a security problem with the package though. Any script that allows editing of a template or a file could potentially allow an exploit. Is that the developer's fault?

I like that he states that even straight "out of the box", he considers a security audit a very good thing - and I definitely agree. Unfortunately, even some of the more "professional level" applications out there have these glaring security holes that no one thinks about until it's too late. Plus, when you throw things like XSS and SQL injections into the mix, there's just all sorts of fun to worry about...