Over at runcms (how I found XOOPS in the first place) they have a new download to fix some files with Sql injection problems.. is this a security risk for those of us running original XOOPS 2.x?

RunCMS is a derivate of e-Xoops, which in turn is a derivate of an old XOOPS 1.2 beta version. So, at least 1.5 years of separated development and in the case of XOOPS a whole lot of development (big rewrite for XOOPS2) between the two systems.

I think it's safe to say that the XOOPS core is safe. Modules, we can't be sure just yet...

Herko

I'll echo Herko's statement. The core is pretty secure and attention is paid to these unseen details. The latest 2.07 release fixes one that is being targeted right now. Thank you X.

Some things to do:
try to run as much if not all your site with PHP's Register_Globals = Off

Monitor your server logs and look for suspicious activity.

Run the latest and greatest versions of Apache, PHP, MySQL etc.

Firewall

Consider excluding certain modules from search engines (robots.txt) if the module has little relevance on a search engine or if in doubt about the security. Crackers use the search engine to find specific modules in a targeted attack.

Keep up to date with news about cracks and updates. The crackers do and so should you.

Don't go overboard with bling on the site if it doesn't actually enhance the content. Statistics, chat/shout, beta/alpha releases, and some other underdeveloped apps left open to anonymous users can be risky.

I can tell you that my server is targeted almost daily with XOOPS specific crack attempts. For now I'm safe since I know what they are doing and I'm not vulnerable to the attacks I've seen so far. But I don't relax.