[原文]SQL injection vulnerability in PHP-Fusion 4.01 allows remote attackers to execute arbitrary SQL commands via the rowstart parameter to (1) index.php or (2) members.php, or (3) the comment_id parameter to comments.php.
PHP-Fusion contains a flaw that will allow an attacker to inject arbitrary SQL code. The problem is that the rowstart parameter in the members.php script is not verified properly and will allow an attacker to inject or manipulate SQL queries.
Currently, there are no known upgrades or patches to correct this issue. It is possible to correct the flaw by implementing the following workaround(s):
Manually edit the code to properly sanitize the input.