Phpmps 2.0 GBK Help. php $ keywords SQL Injection Vulnerability

Affected Versions:
Phpmps 2.0 GBK

Vulnerability description:
Phpcms is a leading website content management system in China and an open-source PHP development framework. Phpcms consists of more than 20 functional modules, including content model, Member, question bar, topic, finance, order, advertisement, email subscription, short message, custom form, and full-site search, built-in five content models: News, images, downloads, information, and products. Phpcms adopts modular development. It supports custom content models and member models, and supports custom fields.

Help. php file, get the value of keywords, only use trim function, remove the first null, directly into the SQL query

// Obtain the document list

$ Keyword =! Empty ($ _ REQUEST [keywords])? Trim ($ _ REQUEST [keywords]):;
$ Typeid =! Empty ($ _ REQUEST [typeid])? Intval ($ _ REQUEST [typeid]): 0;

If (! Empty ($ keyword ))
{
$ Arr = array ();
$ Keywords = AND (;
$ Keywords. = "(title LIKE % $ keyword % OR keywords LIKE % $ keyword % )";
$ Keywords. = );
}
$ Typeid = $ typeid? "AND typeid = $ typeid ":;
$ Page =! Empty ($ _ REQUEST [page]) & intval ($ _ REQUEST [page])> 0? Intval ($ _ REQUEST [page]): 1;
$ Size =! Empty ($ _ CFG [pagesize]) & intval ($ _ CFG [pagesize])> 0? Intval ($ _ CFG [page_size]): 20;
$ SQL = "SELECT COUNT (*) FROM {$ table} help WHERE 1". $ keywords. $ typeid;
$ Count = $ db-> getOne ($ SQL );

Let's take a look at the common. php file under include, which is in line 28th.

// Escape the data submitted by the client

If (! Get_magic_quotes_gpc ())
{
$ _ POST = stripslashes_deep ($ _ POST );
$ _ GET = stripslashes_deep ($ _ GET );
$ _ COOKIE = stripslashes_deep ($ _ COOKIE );
}

If GPC is disabled, use the UDF stripslashes_deep to process the submitted characters. The stripslashes_deep file is in the global. fun. php file under the include directory.

Function stripslashes_deep ($ value)
{
Return is_array ($ value )? Array_map (stripslashes_deep, $ value): (isset ($ value )? Stripslashes ($ value): null );
}

The default GPC is ON, which is enabled. The stripslashes_deep function is not executed. <* Reference
I am from rural areas

Http://t00ls.net/
Http://sebug.net
*>
SEBUG Security suggestions:
Vendor patch:
PHPCMS
-------
Currently, the vendor does not provide patches or upgrade programs. We recommend that users who use the software follow the vendor's homepage to obtain the latest version:
Http://www.phpcms.cn/