Two injection vulnerabilities in php168 v5.0

By: xhming

Homepage calledRequire(PHP168_ PATH."Inc/label. php");
Continue to follow up;

Label. php

If($ Jobs =Show)
{
If(! $ _ COOKIE [Admin])
{
Showerr ("Ä ¿'");
}
//» Aímímímímā² µä± Ç ço©
Preg_replace (/$ Label [([a-zA-Z0-9 \ _] +)]/eis,"Label_array_hf (\ 1 )", Read_file (html ("Head", $ Head_tpl )));
Preg_replace (/$ Label [([a-zA-Z0-9 \ _] +)]/eis,"Label_array_hf (\ 1 )", Read_file (html ("Foot", $ Foot_tpl )));

// $ Label_hf **í · ² ********************************©

Is_array ($ label_hf) | $ label_hf =Array(); // ---------- Note!
Foreach($ Label_hf AS $ key => $ value)
{
$ Rs = $ db-> get_one ("SELECT * FROM {$ pre} label WHERE ch = $ ch AND tag = $ key AND module = $ ch_module AND chtype = 99");

If($ Rs [tag])
{
$ Divdb = unserialize ($ rs [divcode]);
$ Label [$ key] = add_div ($ label [$ key]? $ Label [$ key]: , $ Rs [tag], $ rs [type], $ divdb [div_w], $ divdb [div_h], $ divdb [div_bgcolor],99);
}
Else
{
$ Label [$ key] = add_div ("Ð Â ± ê Ç©, Î Þ äúé", $ Key,NewTag,,,,99);
}
}

The $ label_hf array is not initialized. Then, a loop puts its subscript $ key into an SQL statement. In addition, addcslashes does not handle the problem of the array's lower mark, resulting in an injection vulnerability, unfortunately, the returned statement is not displayed on the homepage, so you can note it blindly!

Member/list. php

If($ Step =2)
{
If(! $ AidDB )//-----------------------------------------
{
Showerr ("Çoröáépanñane ~añean» ~~~~ä~â");
}
Elseif(! $ Type)
{
Showerr ("Çadeañañe² Ù × Ä ä¿ ± ê, çé ¾ ³ ý ...");
& N